Researchers discovered an eight-year-old use-after-free vulnerability in Samsung's KNOX kernel security framework affecting Galaxy devices from S9 to S25. The vulnerability (CVE-2026-20971, CVSS 7.8) arises from a race condition in the interaction between PROCA, a proprietary process authenticator, and FIVE, the kernel integrity subsystem. Specifically, during process execution changes (execve()), a pointer to freed memory can be accessed due to Android's preemptive kernel scheduling, enabling a use-after-free condition. Although kernel control flow integrity (KCFI) limited exploitation paths, researchers found a method involving loading a non-executable file to bypass protections and reallocate freed memory under attacker control. Exploitation requires local attacker access and user interaction but could lead to kernel memory corruption and deeper device compromise. Samsung released a fix in the January 2026 update, affecting Android 13 to 16 on multiple device generations and chipsets.

The vulnerability allows a local attacker with user interaction to trigger kernel memory corruption via a use-after-free condition in the KNOX security framework. This could potentially enable escalation of privileges or deeper control over the device kernel. Although exploitation is complex and mitigated by kernel control flow integrity, successful exploitation could compromise device security and enable further attacks, including pivoting into enterprise networks if the device is used in such environments.

Samsung fixed this vulnerability in its January 2026 security update. Users should ensure their Galaxy devices from S9 through S25 are updated to the January 2026 or later firmware releases that include patches for Android versions 13 through 16. No additional mitigation is required beyond applying the official update. Since exploitation requires local access and user interaction, limiting physical access to devices also reduces risk.