CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 23, 2026

8-Year-Old Samsung KNOX Vulnerability Exposes Galaxy Devices to Kernel Attacks

Cybersecurity News Archived Jun 23, 2026 ✓ Full text saved

A critical use-after-free (UAF) vulnerability in Samsung’s proprietary KNOX security subsystem, which has been hidden for over eight years, has been discovered by security research firm LucidBit, potentially exposing hundreds of millions of Galaxy devices to kernel-level memory corruption and complete device takeover. The flaw, patched in Samsung’s January 2026 Android Security Update, resides in […] The post 8-Year-Old Samsung KNOX Vulnerability Exposes Galaxy Devices to Kernel Attacks appeared

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security 8-Year-Old Samsung KNOX Vulnerability Exposes Galaxy Devices to Kernel Attacks By Guru Baran June 23, 2026 A critical use-after-free (UAF) vulnerability in Samsung’s proprietary KNOX security subsystem, which has been hidden for over eight years, has been discovered by security research firm LucidBit, potentially exposing hundreds of millions of Galaxy devices to kernel-level memory corruption and complete device takeover. The flaw, patched in Samsung’s January 2026 Android Security Update, resides in PROCA (Process Authenticator), a core KNOX component responsible for preventing unauthorized process execution. Specifically, the bug targets FIVE (File-based Integrity Verification Engine), Samsung’s kernel-side integrity tracking subsystem built on top of Linux’s integrity measurement architecture. Every process on a Samsung device carries a task_integrity object tracking its trust state. The vulnerability stems from procfs handlers under /proc/pid/integrity/ that fetch a raw pointer to this object without properly holding a reference a dangerous oversight in a fully preemptive kernel. Researchers confirmed the vulnerability affects Samsung Galaxy S9 through S25, including A-series devices (tested on A54), across both Exynos and Qualcomm chipset variants. Every Android version tested was vulnerable. The bug has reportedly existed since FIVE was first introduced into Samsung’s kernel — approximately 2017 making it an eight-year-old dormant flaw hiding in plain sight inside a security-critical subsystem. File Structure Layout (Source: LucidBit Labs) LucidBit Labs identified three distinct exploitation primitives from the UAF condition: Primitive 1 – Memory Leak (DWORD Read): The proc_integrity_value_read() handler reads task_integrity->user_value at offset 0 from potentially freed memory. If the freed slot is reclaimed before the handler resumes, it leaks whatever data now occupies that address — usable as a KASLR bypass oracle with no crash risk. Primitive 2 – Arbitrary Call (CFI-Blocked): The proc_integrity_reset_file() handler eventually triggers a d_dname() function pointer call through a freed struct file. Researchers devised a novel technique using /system/bin/monkey — a plain-text, non-ELF system binary — to force reset_file to a refcount of 1, enabling the UAF. However, Android’s KCFI (Kernel Control Flow Integrity) blocked arbitrary redirection, limiting call targets to type-compatible functions and rendering this primitive a dead end. Primitive 3 – Constrained Write via Spinlock: The proc_integrity_label_read() handler acquires a spinlock_t on the freed object. On reclaimed memory, the queued spinlock’s atomic operations produce a constrained write at offset 0x0c, potentially overlapping pointers, refcounts, or length fields in a cross-cache reclaimed object. Mitigation and Patch Status Samsung issued a fix in its January 2026 monthly security update. Users running affected Galaxy devices should verify that their security patch level is dated 2026-01-01 or later via Settings → About Phone → Android Security Update. All Samsung Galaxy device users are strongly urged to verify that their device has applied the January 2026 security patch level or later immediately. LucidBit noted the vulnerability went undetected for approximately eight years, underscoring the persistent risk of vendor-modified kernel code paths that introduce complex object lifetime semantics not present in upstream Linux. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Ghostwriter Hackers Abuse Gmail Admin-Themed Emails to Steal Credentials and 2FA Codes Hackers Breached Klue Integration to Steal Salesforce CRM Data via OAuth Tokens Kodak Confirms Data Breach Following ShinyHunters’ Claim of Stolen Customer Records 23 ClawHub Plugins Abuse Official Org Scopes to Impersonate Trusted AI Agent Tools FortiBleed – 70,000+ Fortinet Firewalls Compromised in Massive Exploitation Attack Latest News Cyber Security News DifyTap Flaws Allow Attackers to Wiretap AI Data Across Tenants – 1M+ Apps Impacted Cyber Security News Five-Eye Agencies Call for “Whole-of-Organization and Whole-of-Society Response” to Stop Cyber Threats Cyber Security News Nearly Half of Apps Across LG and Samsung TV’S are Selling Your IP Address Cyber Security News Hackers Use Velociraptor, Cloudflare Tunnels, Zoho Assist, and VS Code SSH for Persistence Cyber Security News FlutterShell macOS Backdoor Abuses Flutter Framework and WKWebView for Stealthy Attacks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 23, 2026
    Archived
    Jun 23, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗