A critical use-after-free (UAF) vulnerability in Samsung’s proprietary KNOX security subsystem, which has been hidden for over eight years, has been discovered by security research firm LucidBit, potentially exposing hundreds of millions of Galaxy devices to kernel-level memory corruption and complete device takeover.
The flaw, patched in Samsung’s January 2026 Android Security Update, resides in PROCA (Process Authenticator), a core KNOX component responsible for preventing unauthorized process execution.
Specifically, the bug targets FIVE (File-based Integrity Verification Engine), Samsung’s kernel-side integrity tracking subsystem built on top of Linux’s integrity measurement architecture.
Every process on a Samsung device carries a task_integrity object tracking its trust state. The vulnerability stems from procfs handlers under /proc/pid/integrity/ that fetch a raw pointer to this object without properly holding a reference a dangerous oversight in a fully preemptive kernel.
Researchers confirmed the vulnerability affects Samsung Galaxy S9 through S25, including A-series devices (tested on A54), across both Exynos and Qualcomm chipset variants.
Every Android version tested was vulnerable. The bug has reportedly existed since FIVE was first introduced into Samsung’s kernel — approximately 2017 making it an eight-year-old dormant flaw hiding in plain sight inside a security-critical subsystem.
LucidBit Labs identified three distinct exploitation primitives from the UAF condition:
- Primitive 1 – Memory Leak (DWORD Read): The
proc_integrity_value_read()handler readstask_integrity->user_valueat offset 0 from potentially freed memory. If the freed slot is reclaimed before the handler resumes, it leaks whatever data now occupies that address — usable as a KASLR bypass oracle with no crash risk. - Primitive 2 – Arbitrary Call (CFI-Blocked): The
proc_integrity_reset_file()handler eventually triggers ad_dname()function pointer call through a freedstruct file. Researchers devised a novel technique using/system/bin/monkey— a plain-text, non-ELF system binary — to forcereset_fileto a refcount of 1, enabling the UAF. However, Android’s KCFI (Kernel Control Flow Integrity) blocked arbitrary redirection, limiting call targets to type-compatible functions and rendering this primitive a dead end. - Primitive 3 – Constrained Write via Spinlock: The
proc_integrity_label_read()handler acquires aspinlock_ton the freed object. On reclaimed memory, the queued spinlock’s atomic operations produce a constrained write at offset0x0c, potentially overlapping pointers, refcounts, or length fields in a cross-cache reclaimed object.
Mitigation and Patch Status
Samsung issued a fix in its January 2026 monthly security update. Users running affected Galaxy devices should verify that their security patch level is dated 2026-01-01 or later via Settings → About Phone → Android Security Update.
All Samsung Galaxy device users are strongly urged to verify that their device has applied the January 2026 security patch level or later immediately.
LucidBit noted the vulnerability went undetected for approximately eight years, underscoring the persistent risk of vendor-modified kernel code paths that introduce complex object lifetime semantics not present in upstream Linux.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
