Patched Samsung KNOX kernel flaw (CVE-2026-20971) detailed

As reported by Security Affairs, a critical kernel vulnerability within Samsung's KNOX security suite, identified as CVE-2026-20971, has been detailed. This flaw, a use-after-free bug residing in the PROCA/FIVE subsystems, was designed to enhance security but instead created an exploitable condition, according to a report by LucidBit Labs.

The vulnerability stems from a race condition within the kernel's process integrity validation. Specifically, when a process changes state, such as during a fork or execve operation, the system frees an old integrity object while a new one is being prepared. An attacker could exploit a tiny time window, between the freeing of memory and its reallocation, to execute code. While Samsung's Kernel Call, Function Integrity (KCFI) mitigation helps by blocking arbitrary function calls, researchers found a bypass by loading non-executable files, allowing for controlled reallocation of the freed memory. This could lead to kernel memory corruption, potentially enabling a complete device takeover from an untrusted application.

Samsung addressed this issue in its January 2026 security update, affecting a wide range of Galaxy devices from the S9 to S25 series, as well as A-series models across Android 13 through 16.

Source: Security Affairs