8-Year-Old Samsung KNOX Vulnerability Exposed Galaxy Devices to Kernel Attacks

Samsung patched a High-severity KNOX vulnerability that could allow local attackers to potentially execute arbitrary code on affected Galaxy devices.

The flaw is tracked as CVE-2026-20971 and SVE-2025-2103. In its January 2026 security bulletin, Samsung described it as a use-after-free issue in the PROCA driver before SMR Jan-2026 Release 1.

The vulnerability drew fresh attention after researchers said it had existed for about eight years in Samsung’s KNOX-related kernel code. A SecurityWeek report said the issue affected Galaxy devices from the Galaxy S9 through the Galaxy S25, including some A-series models.

CVE-2026-20971 affects Samsung’s PROCA driver

The NVD entry for CVE-2026-20971 says the bug allows local attackers to potentially execute arbitrary code. NVD gives the issue a CVSS 3.1 score of 7.8, which places it in the High severity range.

PROCA, short for Process Authenticator, is part of Samsung’s security architecture for checking whether processes should be trusted. Researchers linked the vulnerability to the interaction between PROCA and FIVE, Samsung’s File-based Integrity Verification Engine.

Samsung’s broader KNOX architecture is designed to protect devices through secure boot, trusted boot, runtime protection, and integrity checks. The official Samsung KNOX security whitepaper explains that the kernel is a highly privileged component that starts apps and directly accesses storage and network devices.

Item	Details
CVE ID	CVE-2026-20971
Samsung ID	SVE-2025-2103
Component	PROCA driver
Bug type	Use after free
Severity	High
Affected Android versions	Android 13, 14, 15, and 16 before SMR Jan-2026 Release 1
Patch	Samsung SMR Jan-2026 Release 1 or later

Researchers say the bug was hidden in KNOX code for years

The flaw is important because it sits inside a security-sensitive part of Samsung’s kernel changes. A kernel-level vulnerability can have more serious consequences than a normal app bug because the kernel controls core device operations.

According to the SecurityWeek report, LucidBit Labs connected the vulnerability to a race condition involving PROCA and FIVE. The report says the bug could be triggered from an untrusted app and could lead to kernel memory corruption.

The technical issue centers on object lifetime management. In simple terms, vulnerable code could keep using a memory object after the system had already freed it. That condition is known as use after free, and it can sometimes allow attackers to leak memory, corrupt memory, or influence execution flow.

Why Samsung Galaxy owners should update

Samsung addressed the issue in its SMR Jan-2026 Release 1. The company said the patch removes unused code in the PROCA driver.

The National Vulnerability Database lists the attack vector as local, which means an attacker would need local code execution on the device rather than direct remote access. That still matters because attackers often chain mobile vulnerabilities together, starting with a malicious app, phishing, or another exploit.

Samsung users should check whether their device has received the January 2026 security update or a later release. Patch availability can vary by model, region, chipset, and carrier, and Samsung’s KNOX vulnerability reporting documentation notes that some security fixes may not reach all devices at the same time because of distribution and testing factors.

How to check your Galaxy security patch level

Galaxy users can check for updates from the Settings app. The exact menu names can vary slightly by model and One UI version, but the process is usually simple.

• Open Settings on the Galaxy phone or tablet.
• Go to Software update.
• Tap Download and install.
• Install any available update.
• Check the Android security patch level after the restart.

Users should also avoid installing apps from unknown sources, especially on older devices that no longer receive frequent security updates. A local privilege escalation bug becomes more dangerous when a malicious app can first reach the device.

Enterprise administrators should review their managed Galaxy fleet and confirm that affected Android 13, 14, 15, and 16 devices have received the January 2026 Samsung security maintenance release or a later update. The Samsung KNOX documentation also recommends using accurate vulnerability management data because third-party tools can map Galaxy vulnerabilities incorrectly across different models and hardware variants.

The flaw shows the risk of vendor kernel code

This case highlights a difficult problem in Android security. Device makers add their own kernel-level features to support hardware, enterprise tools, and security functions. Those additions can improve protection, but they can also create new attack surfaces if bugs remain unnoticed for years.

Samsung’s KNOX platform includes multiple protections meant to preserve device integrity. The KNOX whitepaper says Knox uses secure boot and trusted boot to help ensure that only approved system software runs on the device.

CVE-2026-20971 does not mean KNOX itself is broken across all protections. It does show that security-critical subsystems need continued review, especially when they live in privileged kernel paths. For Galaxy users, the practical advice is clear: install the January 2026 update or any newer Samsung security release as soon as it becomes available.

FAQ