Researchers found an eight-year old high severity vulnerability affecting nearly all Samsung devices from the Galaxy S9 to S25 living within the KNOX kernel.
The flaw (CVE‑2026‑20971, CVSS 7.8) could be exploited through the interaction between PROCA and FIVE. PROCA, the process authenticator, is a proprietary subsystem in the kernel of the Samsung devices designed to prevent unauthorized processes from executing. It validates process authenticity using FIVE, the kernel side integrity subsystem, based on the Linux integrity-measurement model and extended by Samsung.
FIVE tracks trust in each running process, applying a task_integrity object that records its security state. If the process changes, perhaps it forks a child, the child invokes execve() which triggers a new integrity and drops the old one. This should be instantaneous – but enter Android’s preemptive Kernel within which it all runs. The net effect is a tiny window which, if reachable, is a classic race-condition use-after-free (UAF) target.
Because of the preemptive kernel, a thread can be suspended between reading the pointer and using it. “The target task executes execve(), specifically task_integrity_put(old_tint), freeing the original struct. proc_integrity_value_read() resumes and calls task_integrity_user_read() with a pointer to freed memory,” reports the LucidBit Labs researchers who discovered the flaw.
The researchers do not suggest that exploiting this UAF was easy, only that it was possible. The built-in kernel control flow integrity (KCFI) made it almost impossible, but not quite. It didn’t eliminate the UAF but closed down arbitrary function calls which are the most dangerous exploitation path.
However, these researchers found a way to exploit the UAF by getting the process to ‘load’ a file that could not be executed; that is, a non-ELF file. “This removes the reset_file refcount > 1 blocker,” they explain. A few more tricks and they could “Reallocate the freed memory in a fully controlled manner.”
In the end, the researchers found a way. LucidBit Labs says the flaw could be triggered from an untrusted app and could lead to kernel memory corruption, potentially giving an attacker a path toward deeper control of the device.
The researchers disclosed their findings to Samsung, and Samsung fixed the problem in its January 2026 update. This issue existed across multiple Samsung device generations, including Galaxy S9 through Galaxy S25, A-series devices, and both Exynos- and Qualcomm-based models. Samsung’s advisory lists affected versions as Android 13, 14, 15, and 16.
It states, “Improper input validation in SecSettings prior to SMR Jan-2026 Release 1 allows local attacker to access file with system privilege. User interaction is required for triggering this vulnerability.”
On the surface, this vulnerability was only exploitable locally, which would suggest that it was not that dangerous. But that’s ‘user’ interaction, not necessarily ‘legitimate owner’ interaction. Very few mobile device users have not mislaid their device only to find it again a day later. The assumption is just that we forgot where we put it – but nobody knows for certain where it was or who could have handled it during that time.
In the wider cybercrime ecosphere, getting a remote access foothold into an always-on device is a common practice. Attackers have numerous ways of getting around local exploitability. If the vulnerability had allowed an attacker to gain control of a staff mobile device, the attacker could potentially pivot onto the enterprise network. Although resolved by Samsung in January, it is important to ensure your own device has been patched.
But perhaps the biggest take-away from this research is that defenders must treat their own security stack as a potential attack surface that can be exploited by adversaries.
Related: Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at Risk
Related: Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
Related: Mobile Attack Surface Expands as Enterprises Lose Control
Related: Landfall Android Spyware Targeted Samsung Phones via Zero-Day
