Samsung KNOX Flaw Exposed Millions of Galaxy Devices
A critical kernel vulnerability in Samsung’s KNOX security stack put millions of Galaxy devices at risk. Researchers at LucidBit Labs discovered a use-after-free flaw, cataloged as CVE-2026-20971, that could allow attackers to corrupt kernel memory and potentially gain complete control of affected devices. Samsung patched the issue in .

What the Vulnerability Does

The flaw lives in Samsung KNOX‘s PROCA and FIVE subsystems, which validate process integrity on devices. The vulnerability is a race condition that occurs during a process state change, such as when a process forks or calls execve(). During this transition, the old task integrity object is freed and replaced with a new one.

Android’s preemptive kernel creates a tiny window where an attacker can exploit memory that has already been freed. While the window is extremely small and requires precise timing, researchers proved it’s exploitable. An attacker would need the process running proc_integrity_value_read() to be scheduled out at exactly the right moment.

How Attackers Could Bypass Defenses

Samsung’s KCFI was designed to block arbitrary function calls and prevent exactly this kind of attack. But researchers found a way around it. They discovered they could make a process load a non-ELF file, which removes a refcount blocker that would otherwise stop the attack.

The crucial detail here is that any untrusted app could trigger this vulnerability. An attacker wouldn’t need elevated privileges or physical access to a device. A malicious app downloaded from the Play Store could potentially exploit the flaw.

What Devices Are Affected

The vulnerable device list is extensive. It includes Galaxy S9 through Galaxy S25 models, various A-series phones, and devices using both Exynos and Qualcomm processors. All of these ran Android 13, 14, 15, or 16. Samsung’s advisory notes that local access and user interaction are required for exploitation, meaning a user would need to have the vulnerable app installed on their device.

The Bigger Security Lesson

This incident reveals something important about security architecture: protective mechanisms can themselves become attack vectors. KNOX was built to defend devices, yet its complexity created the opening attackers needed.

As LucidBit Labs noted in their detailed report, Modified code, especially related to complex mechanisms, is always interesting to examine for vulnerabilities. FIVE is part of the Samsung KNOX security suite, and as we saw, protections can increase the attack surface.

The patch was included in Samsung’s January 2026 security update. Users with Galaxy devices should ensure they’re running the latest version.

Follow Hashlytics on Bluesky, LinkedIn, Telegram and X to Get Instant Updates