A significant vulnerability in Samsung’s proprietary KNOX security system, unnoticed for over eight years, has been uncovered by LucidBit, a security research firm. This flaw has potentially left millions of Galaxy devices vulnerable to kernel-level attacks, allowing for memory corruption and complete device takeover.
Discovery and Impact of the Flaw
This vulnerability, recently patched in Samsung’s January 2026 Android Security Update, is located in the Process Authenticator (PROCA), a crucial component of KNOX that prevents unauthorized processes from executing.
The flaw specifically affects the File-based Integrity Verification Engine (FIVE), which is part of Samsung’s kernel-side integrity tracking mechanism. FIVE is built on the integrity measurement architecture of Linux, and it assigns each process a task_integrity object to track trust levels. The issue arises from procfs handlers in the /proc/pid/integrity/ path, which retrieve a raw pointer to this object without proper reference holding, posing a risk in a preemptive kernel environment.
Affected Devices and Timeline
The vulnerability impacts Samsung Galaxy models from S9 to S25, as well as A-series devices (tested on A54), across Exynos and Qualcomm chipsets. LucidBit’s research indicates that every tested Android version was susceptible, with the flaw existing since FIVE’s initial integration into Samsung’s kernel around 2017.
This revelation highlights the persistent risk posed by vendor-modified kernel code paths, which introduce complex object lifetime semantics absent in upstream Linux code.
Exploitation Primitives and Mitigation
LucidBit Labs identified three exploitation techniques stemming from the vulnerability:
- Memory Leak (DWORD Read): The proc_integrity_value_read() handler can leak data from freed memory, acting as a KASLR bypass oracle without causing crashes.
- Arbitrary Call (CFI-Blocked): Attempts to exploit the proc_integrity_reset_file() handler are hindered by Android’s Kernel Control Flow Integrity (KCFI), limiting call targets to compatible functions.
- Constrained Write via Spinlock: The proc_integrity_label_read() handler can cause a constrained write when operating on reclaimed memory, potentially leading to pointer or refcount overlaps.
Samsung’s January 2026 security update addresses the vulnerability. Galaxy users should ensure their devices have the security patch level dated 2026-01-01 or later, accessible via Settings → About Phone → Android Security Update.
Conclusion and Recommendations
LucidBit’s findings underscore the importance of regular security updates to mitigate risks from long-standing vulnerabilities. Samsung Galaxy users are strongly advised to verify their devices are up-to-date with the latest security patches to safeguard against potential exploits.
For further updates, follow us on Google News, LinkedIn, and X.
