A critical vulnerability has been discovered in Samsung’s KNOX security platform, potentially exposing numerous Galaxy devices to kernel-level attacks. This flaw, identified by security research firm LucidBit, has remained undetected for approximately eight years, affecting devices from the Galaxy S9 through the S25, including A-series models like the A54, across both Exynos and Qualcomm chipset variants.
The vulnerability resides in the Process Authenticator (PROCA), a core component of KNOX responsible for preventing unauthorized process execution. Specifically, the issue targets the File-based Integrity Verification Engine (FIVE), Samsung’s kernel-side integrity tracking subsystem built atop Linux’s integrity measurement architecture. Each process on a Samsung device carries a ‘task_integrity’ object that tracks its trust state. The flaw arises from procfs handlers under ‘/proc/pid/integrity/’ that fetch a raw pointer to this object without properly holding a reference—a dangerous oversight in a fully preemptive kernel.
LucidBit identified three distinct exploitation primitives stemming from this use-after-free (UAF) condition:
- Memory Leak (DWORD Read): The ‘proc_integrity_value_read()’ handler reads ‘task_integrity->user_value’ at offset 0 from potentially freed memory. If the freed slot is reclaimed before the handler resumes, it leaks whatever data now occupies that address, which can be used as a Kernel Address Space Layout Randomization (KASLR) bypass oracle without causing a crash.
- Arbitrary Call (CFI-Blocked): The ‘proc_integrity_reset_file()’ handler eventually triggers a ‘d_dname()’ function pointer call through a freed ‘struct file’. Researchers devised a technique using ‘/system/bin/monkey’—a plain-text, non-ELF system binary—to force ‘reset_file’ to a refcount of 1, enabling the UAF. However, Android’s Kernel Control Flow Integrity (KCFI) blocked arbitrary redirection, limiting call targets to type-compatible functions and rendering this primitive ineffective.
- Constrained Write via Spinlock: The ‘proc_integrity_label_read()’ handler acquires a ‘spinlock_t’ on the freed object. On reclaimed memory, the queued spinlock’s atomic operations produce a constrained write at offset 0x0c, potentially overlapping pointers, refcounts, or length fields in a cross-cache reclaimed object.
Samsung addressed this vulnerability in its January 2026 monthly security update. Users are strongly advised to ensure their devices have applied the January 2026 security patch level or later. This can be verified by navigating to Settings → About Phone → Android Security Update.
The prolonged existence of this flaw highlights the challenges in maintaining robust security within complex systems like KNOX. It underscores the importance of continuous vigilance and prompt patching to protect devices from potential exploits.
