[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fq-XRVu5GuTaV-BqZSVMfCL6gb989AylVnYIHznUbBAA":3},{"article":4,"iocs":49},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"0e523ad3-163f-4d21-9d22-c91c99657b21","Eight-Year-Old Samsung KNOX Flaw Exposed Millions of Galaxy Devices to Kernel Attacks","eight-year-old-samsung-knox-flaw-exposed-millions-of-galaxy-devices-to-kernel-at-f49d72","The high-severity use-after-free vulnerability in Samsung's KNOX security framework affected Android-powered Galaxy devices from the S9 through S25. The post Eight-Year-Old Samsung KNOX Flaw Exposed Millions of Galaxy Devices to Kernel Attacks appeared first on SecurityWeek.","A high-severity, eight-year-old use-after-free vulnerability in Samsung's KNOX kernel has been discovered, potentially affecting millions of Galaxy devices from the S9 to S25. While difficult to exploit and mitigated by kernel control flow integrity, researchers found a method to trigger it via non-executable files, allowing for kernel memory corruption. Samsung has since patched the flaw in its January 2026 update.","Eight-year-old Samsung KNOX kernel flaw exposed millions of Galaxy devices to attacks.","Researchers found an eight-year old high severity vulnerability affecting nearly all Samsung devices from the Galaxy S9 to S25 living within the KNOX kernel. The flaw (CVE‑2026‑20971, CVSS 7.8) could be exploited through the interaction between PROCA and FIVE. PROCA, the process authenticator, is a proprietary subsystem in the kernel of the Samsung devices designed to prevent unauthorized processes from executing. It validates process authenticity using FIVE, the kernel side integrity subsystem, based on the Linux integrity-measurement model and extended by Samsung. FIVE tracks trust in each running process, applying a task_integrity object that records its security state. If the process changes, perhaps it forks a child, the child invokes execve() which triggers a new integrity and drops the old one. This should be instantaneous – but enter Android’s preemptive Kernel within which it all runs. The net effect is a tiny window which, if reachable, is a classic race-condition use-after-free (UAF) target. Because of the preemptive kernel, a thread can be suspended between reading the pointer and using it. “The target task executes execve(), specifically task_integrity_put(old_tint), freeing the original struct. proc_integrity_value_read() resumes and calls task_integrity_user_read() with a pointer to freed memory,” reports the LucidBit Labs researchers who discovered the flaw. The researchers do not suggest that exploiting this UAF was easy, only that it was possible. The built-in kernel control flow integrity (KCFI) made it almost impossible, but not quite. It didn’t eliminate the UAF but closed down arbitrary function calls which are the most dangerous exploitation path. However, these researchers found a way to exploit the UAF by getting the process to ‘load’ a file that could not be executed; that is, a non-ELF file. “This removes the reset_file refcount > 1 blocker,” they explain. A few more tricks and they could “Reallocate the freed memory in a fully controlled manner.”Advertisement. Scroll to continue reading. In the end, the researchers found a way. LucidBit Labs says the flaw could be triggered from an untrusted app and could lead to kernel memory corruption, potentially giving an attacker a path toward deeper control of the device. The researchers disclosed their findings to Samsung, and Samsung fixed the problem in its January 2026 update. This issue existed across multiple Samsung device generations, including Galaxy S9 through Galaxy S25, A-series devices, and both Exynos- and Qualcomm-based models. Samsung’s advisory lists affected versions as Android 13, 14, 15, and 16. It states, “Improper input validation in SecSettings prior to SMR Jan-2026 Release 1 allows local attacker to access file with system privilege. User interaction is required for triggering this vulnerability.” On the surface, this vulnerability was only exploitable locally, which would suggest that it was not that dangerous. But that’s ‘user’ interaction, not necessarily ‘legitimate owner’ interaction. Very few mobile device users have not mislaid their device only to find it again a day later. The assumption is just that we forgot where we put it – but nobody knows for certain where it was or who could have handled it during that time. In the wider cybercrime ecosphere, getting a remote access foothold into an always-on device is a common practice. Attackers have numerous ways of getting around local exploitability. If the vulnerability had allowed an attacker to gain control of a staff mobile device, the attacker could potentially pivot onto the enterprise network. Although resolved by Samsung in January, it is important to ensure your own device has been patched. But perhaps the biggest take-away from this research is that defenders must treat their own security stack as a potential attack surface that can be exploited by adversaries. Related: Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at Risk Related: Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities Related: Mobile Attack Surface Expands as Enterprises Lose Control Related: Landfall Android Spyware Targeted Samsung Phones via Zero-Day Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Kevin Townsend Tenet Security Emerges From Stealth With $6 Million Seed FundingHacker Conversations: Isira Adithya, the Evolution of an Ethical HackerAI and Cybersecurity – Everything You Wanted to Know, But Were Afraid to AskCan CISOs Trust Their Applications? TrustCloud Wants to Replace the QuestionnaireFrench Government Messaging Platform Breached by Mysterious ‘Misere’ HackerAlert Fatigue Is Becoming a Security Threat of Its OwnOnyxC2 Stealer Offers Cybercriminals Enterprise-Grade Theft for $250 a MonthInfostealers Turn Millions of Devices Into Credential Theft Machines Latest News CISO Conversations: Carl Froggett – Combining CISO and CIO at Deep InstinctAlgerian Man Extradited to US for Running Cybercrime MarketplacesFFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS AppliancesOpenAI Refocuses Cybersecurity Efforts on Patching Over DiscoveryRussian Initial Access Broker Behind FortiBleed CampaignCanadian Electricity Provider London Hydro Discloses Data BreachTrump Signs Executive Order Accelerating Post-Quantum Cryptography Migration Xsolis Data Breach Affects 1.4 Million Individuals Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: How Modern Breaches Bypass MFA and Evade Detection June 17, 2026 Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes. Register Webinar: Modern Exposure Validation in the AI Era June 24, 2026 AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program. Register People on the MoveSolarWinds has appointed Justin Henkel as Chief Information Security Officer.J. Paul Haynes has joined Cinchy as Chief Executive Officer.Hatem Naguib has become Chief Executive Officer at Sysdig.More People On The MoveExpert Insights What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) The Zero-Knowledge Threat Actor and the End of Respon","https:\u002F\u002Fwww.securityweek.com\u002Feight-year-old-samsung-knox-flaw-exposed-millions-of-galaxy-devices-to-kernel-attacks\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2026\u002F06\u002FSamsung-Android-Vulnerability.jpg","2026-06-23T13:00:00+00:00","2026-06-23T14:00:21.622627+00:00",8,[18,21,23,25,28],{"name":19,"type":20},"Galaxy S9","product",{"name":22,"type":20},"Galaxy S25",{"name":24,"type":20},"KNOX",{"name":26,"type":27},"Samsung","vendor",{"name":29,"type":30},"Android","technology","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":31,"icon":33,"name":34,"slug":35},null,"Vulnerabilities","vulnerabilities",[37,39,44],{"category":38},{"id":31,"icon":33,"name":34,"slug":35},{"category":40},{"id":41,"icon":33,"name":42,"slug":43},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":45},{"id":46,"icon":33,"name":47,"slug":48},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[50],{"type":51,"value":52,"context":53},"cve","CVE-2026-20971","Samsung KNOX kernel vulnerability"]