CVE-2026-22107

A use-after-free vulnerability exists in the Android binder IPC driver (drivers/android/binder.c) in the transaction buffer release path. Improper reference counting during binder_thread cleanup leads to a dangling pointer to a freed binder_transaction object. An attacker with application-level code execution can exploit this via cross-cache memory reallocation techniques to reclaim the freed object with a controlled kernel structure, obtaining arbitrary kernel read/write primitives. Successful exploitation escalates privileges from application context to kernel, enabling SELinux bypass, credential structure modification, and full root access. The vulnerability affects GKI kernel versions 5.10, 5.15, and 6.1 used across Android 12 through 15. Google TAG identified this as Stage 2 of the Saito Tech (Candiru) commercial spyware exploit chain, chained after CVE-2026-22104 for privilege escalation.

CVSS v3 vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Weaknesses (CWE)

CWE-416

Threats tracking this CVE

• Android Exploit Chain — Saito Tech Commercial Spyware: ART Runtime RCE, Binder UAF LPE, Pixel Bootloader Persistence (CVE-2026-22104, CVE-2026-22107, CVE-2026-22112) — CRITICAL

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-22107
• https://source.android.com/docs/security/bulletin/2026/2026-03-01
• https://androidoffsec.withgoogle.com/posts/attacking-android-binder-analysis-and-exploitation-of-cve-2023-20938/
• https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html
• https://github.com/0xkol/badspin
• https://blog.google/threat-analysis-group/

Markdown version · Threadlinqs Intelligence