Eight-Year-Old Samsung KNOX Flaw Exposed Millions of Galaxy Devices to Kernel Attacks
A high-severity use-after-free vulnerability in Samsung's KNOX security framework, present for eight years, exposed millions of Galaxy devices to kernel-level attacks.
Researchers at LucidBit Labs have uncovered an eight-year-old high-severity vulnerability in Samsung's KNOX security framework that affected nearly all Galaxy devices from the S9 through S25. Tracked as CVE-2026-20971 with a CVSS score of 7.8, the flaw is a use-after-free (UAF) bug residing in the kernel-level interaction between two proprietary subsystems: PROCA (process authenticator) and FIVE (kernel-side integrity subsystem). The vulnerability could allow an untrusted app to trigger kernel memory corruption, potentially giving an attacker a path toward deeper control of the device.
The flaw lies in how PROCA validates process authenticity using FIVE, which tracks trust in each running process via a task_integrity object. When a process forks a child and the child calls execve(), a new integrity check is triggered and the old one is dropped. This transition should be instantaneous, but Android's preemptive kernel introduces a tiny race window. As the researchers explain, "The target task executes execve(), specifically task_integrity_put(old_tint), freeing the original struct. proc_integrity_value_read() resumes and calls task_integrity_user_read() with a pointer to freed memory." This classic race condition creates a use-after-free opportunity.
Exploiting the UAF was not straightforward. Samsung's built-in kernel control flow integrity (KCFI) made arbitrary function calls nearly impossible, closing down the most dangerous exploitation path. However, the researchers found a way by getting the process to load a non-ELF file that could not be executed. "This removes the reset_file refcount > 1 blocker," they explained. With a few additional tricks, they could "reallocate the freed memory in a fully controlled manner," ultimately achieving kernel memory corruption from an untrusted app.
The vulnerability affected a broad range of Samsung devices across multiple generations, including Galaxy S9 through Galaxy S25, A-series devices, and both Exynos- and Qualcomm-based models. Samsung's advisory lists affected Android versions 13, 14, 15, and 16. The issue was present for eight years before being fixed in Samsung's January 2026 security update (SMR Jan-2026 Release 1). The advisory states, "Improper input validation in SecSettings prior to SMR Jan-2026 Release 1 allows local attacker to access file with system privilege. User interaction is required for triggering this vulnerability."
While the vulnerability is only exploitable locally, requiring user interaction, the researchers caution that this does not mean it is harmless. "Very few mobile device users have not mislaid their device only to find it again a day later," they note. In the broader cybercrime ecosystem, attackers often gain remote access footholds into always-on devices through other means, and a local exploit could then be used to escalate privileges. If an attacker gained control of a staff mobile device, they could potentially pivot onto the enterprise network.
The discovery highlights a critical lesson for defenders: even proprietary security stacks can become attack surfaces. Samsung's KNOX framework is designed to provide hardware-backed security for enterprise and consumer devices, but this eight-year-old flaw shows that such systems must be continuously audited. Samsung has resolved the issue in its January 2026 update, and users are urged to ensure their devices are patched. The research was published by LucidBit Labs, who disclosed the findings to Samsung responsibly.
LucidBit's disclosure provides deeper technical analysis of the three exploitation primitives derived from the use-after-free condition: a memory leak enabling KASLR bypass, a CFI-blocked arbitrary call via the /system/bin/monkey binary, and a constrained write through a spinlock. The researchers confirmed the flaw affects Galaxy S9 through S25 and A-series devices across both Exynos and Qualcomm chipsets, with every Android version tested found vulnerable. Samsung patched the issue in the January 2026 security update, and users should verify their patch level is 2026-01-01 or later.