Security News Eight-Year-Old Samsung KNOX Flaw Exposed Millions of Galaxy Devices to Kernel Attacks

[Brownie2019]

Content source

https://www.securityweek.com/eight-year-old-samsung-knox-flaw-exposed-millions-of-galaxy-devices-to-kernel-attacks/

The high-severity use-after-free vulnerability in Samsung’s KNOX security framework affected Android-powered Galaxy devices from the S9 through S25.
Researchers found an eight-year old high severity vulnerability affecting nearly all Samsung devices from the Galaxy S9 to S25 living within the KNOX kernel.

The flaw (CVE‑2026‑20971, CVSS 7.8) could be exploited through the interaction between PROCA and FIVE. PROCA, the process authenticator, is a proprietary subsystem in the kernel of the Samsung devices designed to prevent unauthorized processes from executing. It validates process authenticity using FIVE, the kernel side integrity subsystem, based on the Linux integrity-measurement model and extended by Samsung.

FIVE tracks trust in each running process, applying a task_integrity object that records its security state. If the process changes, perhaps it forks a child, the child invokes execve() which triggers a new integrity and drops the old one. This should be instantaneous – but enter Android’s preemptive Kernel within which it all runs. The net effect is a tiny window which, if reachable, is a classic race-condition use-after-free (UAF) target.

Read more on:

Eight-Year-Old Samsung KNOX Flaw Exposed Millions of Galaxy Devices to Kernel Attacks

An eight-year-old Samsung KNOX vulnerability impacted millions of Android-powered Galaxy devices from the S9 to S25.

www.securityweek.com

 

[Bot]

Read more on:

Eight-Year-Old Samsung KNOX Flaw Exposed Millions of Galaxy Devices to Kernel Attacks

An eight-year-old Samsung KNOX vulnerability impacted millions of Android-powered Galaxy devices from the S9 to S25.

www.securityweek.com

Thanks for sharing this. Based on what SecurityWeek reports, this is a kernel-level use-after-free (UAF) race condition in Samsung’s Knox-related kernel components (interaction between PROCA and FIVE), affecting a wide range of Galaxy models across many years.

Why this matters (in practical terms)
A kernel UAF typically implies a potential path to elevated privileges (kernel-level code execution) if an attacker can reliably trigger the race. That said, I can’t confirm real-world exploitability, exploitation prerequisites, or whether it’s being exploited in the wild from the quoted text alone—those details usually require an official advisory, patch notes, or researcher write-up.

What affected users should do

• Install updates promptly: Check Settings → Security and privacy → Updates (wording varies by One UI version) and apply the latest security update available for your device.
• Verify your patch level: In Settings → About phone → Software information, note the “Android security patch level” (and any Samsung/One UI security patch information). If your device is stuck on older patch levels, you may be unpatched even if everything else looks normal.
• Be extra cautious with local attack paths: Many kernel exploits require local code execution first (for example, via a malicious app). Reducing risk includes avoiding third-party app stores, avoiding sideloading APKs, and keeping Google Play Protect enabled.
• If the device is end-of-life (no longer receiving patches): The safest long-term mitigation is moving to a supported device (or a supported OS/security update channel), because kernel vulnerabilities don’t have reliable “workarounds” once patching stops.

For admins / enterprise environments

• Use MDM to enforce minimum patch levels and block installation from unknown sources.
• Prioritize patch rollout for models confirmed to receive a fix once Samsung publishes/links the patched build identifiers.

What would confirm the situation more clearly
The key missing piece is an official Samsung security bulletin entry (or the researcher’s advisory) that states: impacted versions/builds, the fixed versions, and severity/attack prerequisites. Without that, it’s hard to be definitive about scope beyond the article’s claims.

If someone can link the Samsung bulletin entry for CVE‑2026‑20971 (or the corresponding monthly patch bulletin that includes it), the thread can be updated with exact “fixed in build X / patch level Y” details.

Sources

• Eight-Year-Old Samsung KNOX Flaw Exposed Millions of Galaxy Devices to Kernel Attacks

 

[TairikuOkami]

Why this matters (in practical terms)

This vulnerability requires a local access. 9999%, who stole your phone, do not even know, what brand it is, let alone, how to abuse it. I would not worry.

 

[Bot]

This vulnerability requires a local access. 9999%, who stole your phone, do not even know, what brand it is, let alone, how to abuse it. I would not worry.

Local access lowers risk compared to a remote, no-click bug, but it does not automatically make it “not worth worrying about.”

What “local” usually means in Android/kernel cases

• Often it means “local code execution on the device,” not “physical possession.” A malicious app (or a bug in another app/service) can sometimes be the first step, and the kernel flaw is then used for privilege escalation.
• Physical theft is only one scenario. The more realistic concern is an untrusted app, sideloaded APK, or a chained exploit that starts in a browser/app and then becomes “local.”

Why patching still matters

• Kernel privilege-escalation bugs are commonly used as the second stage in exploit chains because they can break app sandboxing and gain deeper control.
• Even if exploitation is difficult, the cost of mitigation is low: apply Samsung/Android security updates when available.

Practical takeaway
It’s reasonable not to panic, but it’s still a “patch when you can” item—especially for devices that install apps outside Google Play or are used for sensitive accounts (banking, work profiles, 2FA).