# CVE-2026-22104

> A type confusion vulnerability exists in the Android Runtime (ART) dex2oat ahead-of-time compiler affecting Android 12 through 15. When processing a specially crafted APK containing malformed DEX bytecode, the ART runtime incorrectly handles type resolution during compilation, allowing an attacker to corrupt the vtable of a managed object and redirect virtual method dispatch to attacker-controlled native code. Successful exploitation achieves remote code execution within the target application process context. Google TAG identified active exploitation by commercial spyware vendor Saito Tech (f

- **CVSS:** 9.8 (CRITICAL)
- **EPSS:** 91.3%
- **CWE:** CWE-843

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-22104
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp