Eight-Year-Old Samsung KNOX Flaw Exposed Millions of Galaxy Devices to Kernel-Level Takeover
Security researchers at LucidBit have uncovered a critical use-after-free (UAF) vulnerability in Samsung’s KNOX security subsystem, a flaw that remained hidden for over eight years and could have enabled full device compromise. The bug, patched in Samsung’s January 2026 Android Security Update, affects the PROCA (Process Authenticator) component of KNOX, specifically targeting FIVE (File-based Integrity Verification Engine), a kernel-level integrity tracking system built on Linux’s integrity measurement architecture.
The vulnerability stems from improper reference handling in procfs handlers under /proc/pid/integrity/, which fetch raw pointers to task_integrity objects without maintaining proper locks. This oversight in a preemptive kernel environment allowed attackers to exploit freed memory, leading to potential kernel-level memory corruption and device takeover.
Affected Devices & Scope
The flaw impacts Samsung Galaxy devices from the S9 through S25, including A-series models (e.g., A54), across both Exynos and Qualcomm chipsets. All tested Android versions were vulnerable, with the bug dating back to 2017, when FIVE was first integrated into Samsung’s kernel.
Exploitation Primitives
LucidBit identified three distinct attack vectors from the UAF condition:
- Memory Leak (DWORD Read) – The
proc_integrity_value_read()handler could leak data from reclaimed memory, enabling a KASLR bypass without crashing the system. - Arbitrary Call (CFI-Blocked) – The
proc_integrity_reset_file()handler could trigger a function pointer call via a freedstruct file, but Android’s KCFI (Kernel Control Flow Integrity) restricted redirection to type-compatible functions, neutralizing this vector. - Constrained Write via Spinlock – The
proc_integrity_label_read()handler’s spinlock operations on freed memory could produce a write at offset 0x0c, potentially corrupting pointers or refcounts in reclaimed objects.
Patch & Mitigation
Samsung addressed the flaw in its January 2026 security update, with affected users advised to verify their security patch level (2026-01-01 or later). The discovery highlights the risks of vendor-modified kernel code, where complex object lifetime semantics absent in upstream Linux can introduce long-term vulnerabilities.
Source: https://cybersecuritynews.com/8-year-old-samsung-knox-vulnerability/
Samsung Knox cybersecurity rating report: https://www.rankiteo.com/company/samsungknox
"id": "SAM1782231942",
"linkid": "samsungknox",
"type": "Vulnerability",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Millions of Galaxy device users',
'industry': 'Technology/Electronics',
'location': 'Global',
'name': 'Samsung',
'size': 'Large',
'type': 'Corporation'}],
'attack_vector': 'Local Kernel Exploitation',
'customer_advisories': 'Update to security patch level 2026-01-01 or later',
'data_breach': {'personally_identifiable_information': 'Potential (if '
'exploited)',
'sensitivity_of_data': 'Potential kernel-level access (high '
'sensitivity)'},
'date_publicly_disclosed': '2026-01',
'date_resolved': '2026-01',
'description': 'Security researchers at LucidBit uncovered a critical '
'use-after-free (UAF) vulnerability in Samsung’s KNOX security '
'subsystem, a flaw that remained hidden for over eight years '
'and could have enabled full device compromise. The bug, '
'patched in Samsung’s January 2026 Android Security Update, '
'affects the PROCA (Process Authenticator) component of KNOX, '
'specifically targeting FIVE (File-based Integrity '
'Verification Engine), a kernel-level integrity tracking '
'system built on Linux’s integrity measurement architecture. '
'The vulnerability stems from improper reference handling in '
'procfs handlers under `/proc/pid/integrity/`, leading to '
'potential kernel-level memory corruption and device takeover.',
'impact': {'brand_reputation_impact': 'High (Samsung KNOX security '
'reputation)',
'identity_theft_risk': 'Potential (if exploited)',
'operational_impact': 'Potential full device compromise',
'payment_information_risk': 'Potential (if exploited)',
'systems_affected': 'Millions of Samsung Galaxy devices'},
'investigation_status': 'Resolved (patched)',
'lessons_learned': 'Risks of vendor-modified kernel code and complex object '
'lifetime semantics in security subsystems like KNOX.',
'post_incident_analysis': {'corrective_actions': 'Patch released to fix UAF '
'vulnerability in PROCA/FIVE '
'subsystem.',
'root_causes': 'Improper reference handling in '
'procfs handlers under '
'`/proc/pid/integrity/` without '
'proper locks in a preemptive '
'kernel environment.'},
'recommendations': 'Users should verify security patch level (2026-01-01 or '
'later) and apply updates immediately. Vendors should '
'audit custom kernel modifications for memory safety '
'issues.',
'references': [{'source': 'LucidBit Research'}],
'response': {'communication_strategy': 'Public disclosure via security update '
'notes',
'containment_measures': 'Patch released in January 2026 Android '
'Security Update',
'remediation_measures': 'Security patch level 2026-01-01 or '
'later',
'third_party_assistance': 'LucidBit (security researchers)'},
'stakeholder_advisories': 'Samsung security update notes, Android security '
'bulletins',
'title': 'Eight-Year-Old Samsung KNOX Flaw Exposed Millions of Galaxy Devices '
'to Kernel-Level Takeover',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'Use-After-Free (UAF) in Samsung KNOX PROCA/FIVE '
'subsystem'}