Samsung KNOX Use-After-Free Flaw Enabled Kernel Attacks on Galaxy Devices
Researchers at LucidBit Labs disclosed CVE-2026-20971, a high-severity use-after-free flaw in Samsung’s KNOX framework that left millions of Galaxy devices exposed to potential kernel-level attacks for roughly eight years. The bug affected Galaxy S9 through S25 models, tested A-series devices including the A54, and both Exynos and Qualcomm variants across Android 13, 14, 15, and 16. Samsung said the issue was fixed in its January 2026 Android security update, and users were urged to verify a security patch level of 2026-01-01 or later.
The vulnerability was traced to a race condition between KNOX’s PROCA process authenticator and the FIVE kernel integrity subsystem, specifically involving procfs handlers under /proc/pid/integrity/ that accessed a task_integrity object without a proper reference in a fully preemptive kernel. LucidBit said the flaw could let a local untrusted app trigger kernel memory corruption and identified exploitation primitives including a memory leak that could aid KASLR bypass, an arbitrary-call path mitigated by KCFI, and a constrained write through spinlock operations on reclaimed memory. Although exploitation required local access and user interaction, researchers warned that a compromised Galaxy device could still enable deeper device takeover and provide a foothold for attacks against enterprise environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Samsung patches CVE-2026-20971 in January 2026 update
Samsung fixed CVE-2026-20971 in its January 2026 Android Security Update. The advisory says affected devices included Android 13, 14, 15, and 16 across Galaxy S9 through S25 and tested A-series models.
Samsung KNOX flaw likely introduced in Galaxy devices
LucidBit reported that the Samsung KNOX use-after-free vulnerability likely existed since around 2017, affecting Galaxy devices for roughly eight years.
LucidBit publicly discloses Samsung KNOX kernel flaw
Researchers at LucidBit Labs disclosed CVE-2026-20971, a high-severity use-after-free flaw in Samsung's KNOX framework that could let a local untrusted app trigger kernel memory corruption. Their report described the bug in the PROCA/FIVE integrity components and outlined exploitation primitives including a memory leak, an arbitrary-call path blocked by KCFI, and a constrained write.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
CVE-2026-20971: Samsung Android kernel UAF affecting Galaxy S9-S25 : r/netsec
reddit.com
Open sourceSamsung KNOX Kernel UAF Exposes Millions of Galaxy Devices
securityaffairs.com
Open sourceEight-year-old Samsung Knox flaw exposed Galaxy devices to kernel attacks | The CyberSec Guru
thecybersecguru.com
Open source8-Year-Old Samsung KNOX Vulnerability Exposes Galaxy Devices to Kernel Attacks
cybersecuritynews.com
Open sourceEight-Year-Old Samsung KNOX Flaw Exposed Millions of Galaxy Devices to Kernel Attacks - SecurityWeek
securityweek.com
Open sourceWhen Defenses Become Attack Surface: CVE-2026-20971, a Samsung Kernel UAF | LucidBit Labs
lucidbitlabs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Samsung patches three Exynos NPU driver flaws enabling Android privilege escalation
Samsung has patched three high-severity vulnerabilities in the Exynos NPU driver—`CVE-2025-23099`, `CVE-2025-23103`, and `CVE-2025-23107`—that could allow local privilege escalation on affected Galaxy devices. The flaws impact Samsung Galaxy S24+ devices running Android 14 and systems based on Exynos 1480 and 2400 platforms, and each issue is reachable by a malicious application running in the `untrusted_app` SELinux context with low privileges and no user interaction. Samsung assigned a CVSS v3.1 score of 7.8 to the bugs and released fixes through Product Security Updates in early June. The vulnerabilities stem from missing length checks in multiple NPU driver paths, leading to out-of-bounds writes in kernel memory. `CVE-2025-23099` involves queue preparation logic that can reuse smaller prior allocations while trusting larger attacker-controlled counts, `CVE-2025-23103` arises from an unbounded loop counter in `npu_queue_update` that can exceed the allocated `queue_list` size, and `CVE-2025-23107` affects `fill_vs4l_buffer`, which writes kernel-side buffer metadata into an undersized user-supplied structure. STAR Labs SG credited Billy Jheng Bing-Jhong, Muhammad Alifa Ramdhan, and Pan Zhenpeng with reporting the issues.
May 24, 2026
Samsung Galaxy flaws exposed remote image RCE and SystemUI privilege escalation
Samsung disclosed multiple vulnerabilities affecting Galaxy devices, including **remote code execution** flaws in the proprietary Quram image codec and a separate **improper access control** bug in the Routines automation feature. **CVE-2025-21042** and **CVE-2025-21043** are out-of-bounds write issues in `libimagecodec.quram.so` that can be triggered by specially crafted images delivered through MMS, email attachments, messaging apps, or web content, potentially with little or no user interaction. Samsung said **CVE-2025-21042** was fixed in the **April 2025 Security Maintenance Release**, while **CVE-2025-21043** was addressed in the **September 2025 SMR**. The disclosures revive longstanding concerns around Samsung’s proprietary image parsing stack, which Google Project Zero previously showed could be exploited through malformed Qmage images in a **zero-click MMS** chain that achieved code execution on a Galaxy Note 10+. Samsung also patched **CVE-2025-21058**, which allowed a local attacker on Android 15 and 16 devices to execute arbitrary code with **SystemUI privileges** via Galaxy Routines before versions **4.8.7.1** and **4.9.6.0**. Separately, Google fixed Android framework flaw **CVE-2025-32322** in the September 2025 Android Security Bulletin after it was found to let a malicious app bypass the MediaProjection consent dialog and silently capture screen content on Android 13 and 14.
Jun 12, 2026
Qualcomm and Samsung patched critical baseband and firmware flaws in mobile chipsets
Qualcomm disclosed and patched several high-severity chipset vulnerabilities affecting Snapdragon, FastConnect, modem, automotive, and IoT products, including **`CVE-2025-27034`**, **`CVE-2025-21483`**, **`CVE-2025-21427`**, **`CVE-2025-27043`**, and **`CVE-2025-21450`**. The flaws span modem, video, RTP, and GPS/GNSS firmware and include remote code execution, memory corruption, buffer over-read, and man-in-the-middle risks. Reported attack paths include malformed PLMN roaming responses, crafted RTP and video-stream payloads, and unauthenticated interception of GNSS assistance data delivered over HTTP. Several issues require no user interaction and affect low-level firmware, raising the risk of bypassing operating system protections; one Qualcomm modem flaw, `CVE-2025-27034`, was reported as exploited in the wild. Qualcomm addressed the issues through July and September 2025 security updates, with exposure likely to persist where OEM firmware rollout lags. Samsung also issued fixes for multiple **Exynos baseband** vulnerabilities, including **`CVE-2024-55568`**, **`CVE-2025-26781`**, **`CVE-2025-26782`**, and **`CVE-2025-54329`**, affecting smartphones, wearables, and modem products. The bugs include NULL pointer dereference, out-of-bounds operations in RLC AM packet handling, and a heap overflow in the NAS signaling layer that can be triggered by malformed LTE or 5G traffic, Mobility Management packets, or multi-payload NAS messages such as SMS. Successful exploitation can crash or hang the modem, reboot devices, or cut off cellular service, and some flaws may be reachable through rogue base stations or compromised network infrastructure before higher-layer authentication or encryption takes effect. Samsung shipped patches in its October and November 2025 security updates, continuing a pattern of baseband security issues previously highlighted in Exynos modem research.
Jun 12, 2026