CVE-2026-22112

A protection mechanism failure vulnerability exists in the Google Pixel bootloader for Pixel 7, 8, and 9 series devices. A flaw in the secure boot verification chain allows an attacker with root-level access to bypass bootloader integrity checks and install persistent implant code that survives factory resets and OS re-installations. The vulnerability resides in the bootloader firmware signature validation logic, where a crafted payload can be written to a persistent partition that is not cleared during device wipe operations. Google TAG identified this as Stage 3 of the Saito Tech (formerly Candiru) commercial spyware exploit chain, used after CVE-2026-22104 (RCE) and CVE-2026-22107 (LPE) to establish hardware-level persistence on targeted devices belonging to journalists and political dissidents.

CVSS v3 vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Weaknesses (CWE)

CWE-693

Threats tracking this CVE

• Android Exploit Chain — Saito Tech Commercial Spyware: ART Runtime RCE, Binder UAF LPE, Pixel Bootloader Persistence (CVE-2026-22104, CVE-2026-22107, CVE-2026-22112) — CRITICAL

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-22112
• https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01
• https://blog.google/threat-analysis-group/
• https://eshard.com/posts/pixel6_bootloader
• https://www.directdefense.com/bypassing-the-google-pixel-tablet-dock-secure-boot/
• https://citizenlab.ca/research/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/

Markdown version · Threadlinqs Intelligence