Security research firm LucidBit has disclosed a critical use-after-free (UAF) vulnerability lurking inside Samsung’s proprietary KNOX security subsystem — a flaw that went undetected for approximately eight years and potentially exposes hundreds of millions of Galaxy devices to kernel-level memory corruption and complete device takeover. The vulnerability was patched in Samsung’s January 2026 Android Security Update, but devices that have not applied the patch remain at risk.
The Vulnerability: Eight Years in Plain Sight
The flaw resides in PROCA (Process Authenticator), a core KNOX component responsible for preventing unauthorized process execution. More specifically, it targets FIVE (File-based Integrity Verification Engine), Samsung’s kernel-side integrity tracking subsystem built on top of Linux’s Integrity Measurement Architecture (IMA).
Every process on a Samsung device carries a task_integrity object that tracks its trust state. The bug arises from procfs handlers under /proc/pid/integrity/ that fetch a raw pointer to this object without properly holding a reference — a dangerous oversight in a fully preemptive kernel. The vulnerability has reportedly existed since FIVE was first introduced into Samsung’s kernel around 2017, making it an eight-year-old dormant flaw hiding inside a security-critical subsystem.
Affected Devices
LucidBit confirmed the vulnerability affects a wide range of Samsung Galaxy devices:
- Samsung Galaxy S9 through S25 series
- A-series devices (confirmed on A54)
- Both Exynos and Qualcomm chipset variants
- All Android versions tested were vulnerable
Three Exploitation Primitives
Researchers identified three distinct exploitation paths from the UAF condition:
- Memory Leak (DWORD Read): The
proc_integrity_value_read()handler readstask_integrity->user_valuefrom potentially freed memory. If the freed slot is reclaimed before the handler resumes, it leaks data from that memory address — usable as a KASLR bypass oracle with no crash risk. - Arbitrary Call (CFI-Blocked): The
proc_integrity_reset_file()handler can trigger a function pointer call through a freedstruct file. However, Android’s Kernel Control Flow Integrity (KCFI) blocked arbitrary redirection, limiting this primitive’s exploitability. - Constrained Write via Spinlock: The
proc_integrity_label_read()handler acquires a spinlock on the freed object, producing a constrained write at offset 0x0c on reclaimed memory — potentially overlapping pointers, refcounts, or length fields in a cross-cache reclaimed object.
Why This Discovery Is Significant
KNOX is Samsung’s flagship enterprise security platform, used extensively in high-security environments including government agencies, defense contractors, and financial institutions. The fact that a kernel-level UAF vulnerability existed within this security-critical subsystem for eight years — surviving multiple Android major version upgrades and Samsung’s own security reviews — raises serious questions about the thoroughness of vendor-modified kernel code audits.
LucidBit noted that the vulnerability went undetected because FIVE introduced complex object lifetime semantics not present in upstream Linux, creating a blind spot in standard kernel security reviews that focus on mainline code paths.
Patch Status and Mitigation
Samsung issued a fix in its January 2026 monthly security update. All Galaxy users should verify their device’s security patch level immediately:
- Navigate to Settings → About Phone → Android Security Update
- Confirm the security patch level is dated 2026-01-01 or later
- If an update is available, apply it immediately
Enterprise device administrators managing Samsung fleets via Knox Manage or other MDM solutions should enforce the January 2026 patch level as a compliance requirement and report non-compliant devices as high-priority remediation targets.
Broader Implications for Mobile Security
This disclosure is a reminder that security-focused features can themselves become attack surface. PROCA and FIVE were designed to prevent unauthorized code execution — but the implementation introduced a memory safety flaw at the kernel level that, if exploited, could allow exactly the kind of full device compromise those features were meant to stop. Security teams responsible for mobile device fleets should incorporate Samsung’s monthly security bulletins into their patch management workflows and treat unpatched devices as a material risk.