SAMSUNG has issued a patch for a kernel use‑after‑free flaw in its KNOX security platform that affects Galaxy devices from the S9 to the S25 range and several A‑series models. The vulnerability, tracked as CVE-2026-20971, was addressed in the January 2026 security update posted on Samsung’s security advisory page. Samsung published the fix after researchers warned that the flaw could allow local attackers to gain full control of a phone.
The flaw resides in the KNOX kernel’s PROCA and FIVE subsystems and is classified as a use‑after‑free condition triggered by a race condition during process integrity checks. With a CVSS score of 7.3 it is rated high severity. An attacker who can install an untrusted application on the device can exploit the race condition to corrupt kernel memory, potentially escalating to privileged code execution.
Although exploitation requires local access and some form of user interaction, such as launching a malicious app, the impact could be complete device takeover, allowing the attacker to intercept calls, read stored data or install persistent malware. Samsung’s advisory notes that the issue affects Galaxy S9, S10, S20, S21, S22, S23, S24, S25 models and the corresponding A‑series line‑ups. The January 2026 update closes the window by correcting the faulty memory handling.
Researchers have noted that the vulnerability existed for roughly eight years before being identified, meaning older Galaxy handsets were exposed for a long period. Despite the long window, no threat actor has been publicly linked to active exploitation of CVE-2026-20971, and the flaw is not listed in the US government’s Known Exploited Vulnerabilities catalogue. The case illustrates how trusted security components can themselves become a target, reinforcing the need for continual scrutiny of even hardened subsystems.
Enterprises should verify that all managed Samsung devices have received the January 2026 patch, which can be confirmed through mobile device management consoles or by checking the security patch level in settings. Users are encouraged to enable automatic over‑the‑air updates and to avoid installing applications from unverified sources. Monitoring for abnormal kernel logs or unexpected reboots can help detect attempted exploitation before it succeeds.
Regularly reviewing Samsung’s security advisories and subscribing to vulnerability feeds will help organisations stay ahead of similar issues. Applying the principle of least privilege to installed apps and limiting ad‑hoc file sharing reduces the attack surface that a local exploit could abuse. Staying current with patches remains the most effective defence against kernel‑level flaws like this one.