Samsung’s KNOX security mechanism held a bug for almost eight years. Through it, an ordinary app could corrupt Android kernel memory. The flaw, CVE-2026-20971, reached a wide range of Galaxy phones. The affected models run from the S9 to the S25, plus A-series devices on both Exynos and Qualcomm chips. Samsung fixed the problem in its January 2026 security update. Researchers, however, only published the details now.
The Bug Lived Inside a Security Feature
The flaw was not in a browser, messenger, or single app. It sat in PROCA, Samsung’s own subsystem for process integrity. PROCA is part of the KNOX platform, and it should block unverified programs from running. Inside PROCA works a component called FIVE. FIVE tracks which files and processes the system trusts.
For each process, FIVE keeps a separate object with integrity data. That object holds the current trust level, labels, files, and other internal parameters. The state changes during normal Android use, such as when a program starts or a new process spawns. The more of these transitions occur, the harder it gets to free old data safely. One wrong step lets another part of the kernel reach an object that was already removed.
A Classic Use-After-Free
This is exactly where a use-after-free arose. The term means access to memory after it has been freed. Android exposes process integrity data to apps through the procfs virtual file system. The request handler took a pointer to the integrity object. Yet it did not hold the object in memory for the duration of the read.
Why the Pointer Went Stale
In safe code, access to a short-lived object keeps a reference count. That count stops the kernel from freeing the memory mid-read, roughly like this:
state = integrity_get(task);
if (state == NULL)
return;
read_integrity(state);
integrity_put(state);
In the vulnerable path, the kernel took a raw pointer instead. Then it could switch to another task. During that pause, the target process started another program. Android created a new integrity object and freed the old one. When the first operation resumed, the code reached a stale address. By then, that memory could belong to a completely different object.
state = task->integrity;
switch_to_another_task();
/* The memory at state may already be freed. */
read_integrity(state);
What the Flaw Could Do
This kind of bug is valuable to an attacker. The freed memory region can be refilled with other data. Researchers obtained several memory-corruption primitives. These included a limited data leak, influence over individual writes, and a path to a function call through a stale pointer. LucidBit Labs did not publish a full device-takeover chain. Still, it noted that the set of primitives could, in theory, lead to kernel code execution and full control of the phone.
Exploitation Was Not Easy
Exploiting CVE-2026-20971 is far from simple. The window between taking the pointer and freeing the memory spans only a few CPU instructions. An attacker must hit that rare task-switch moment, wait for the object to free, and then force the kernel to reuse that exact memory region. A separate memory cache for integrity objects raises the difficulty further. Filling memory with random data is not enough.
How CFI Blocked the Worst Path
In one studied path, a stale pointer could lead to a function call through a corrupted address. Modern Android kernels include control-flow integrity, or CFI. Before an indirect call, CFI checks that the function matches the expected type. So a pointer swapped to an arbitrary address triggers a kernel halt instead of handing control to the attacker. The researchers called CFI an effective barrier. It closed the most obvious route to takeover.
The protection did not remove the bug itself, though. Other paths to the freed memory still produced useful results for an attacker. That leads to the study’s main point. Complex security mechanisms can widen the attack surface themselves. They do so when they add large amounts of non-standard kernel code with tricky memory-management logic. You can read the full technical breakdown, including how FIVE works, in LucidBit Labs’ report.
What Galaxy Users Should Do
The vulnerability is local, so an attacker must get the owner to install a malicious app. The research does not describe a remote hack through a website or message. Galaxy users should check their Android security patch level. Install the January 2026 Samsung update or a newer package, if the model still receives updates. Owners of unsupported devices should be especially careful with apps from unknown sources. LucidBit confirmed the bug on the Galaxy S21, S22, S24, and A54, across all tested Android versions and both main Samsung processor families.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
