# CVE-2026-22107

> A use-after-free vulnerability exists in the Android binder IPC driver (drivers/android/binder.c) in the transaction buffer release path. Improper reference counting during binder_thread cleanup leads to a dangling pointer to a freed binder_transaction object. An attacker with application-level code execution can exploit this via cross-cache memory reallocation techniques to reclaim the freed object with a controlled kernel structure, obtaining arbitrary kernel read/write primitives. Successful exploitation escalates privileges from application context to kernel, enabling SELinux bypass, crede

- **CVSS:** 8.4 (HIGH)
- **EPSS:** 56.8%
- **CWE:** CWE-416

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-22107
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp