A use-after-free vulnerability embedded in Samsung's KNOX security framework for approximately eight years has been publicly disclosed, revealing that hundreds of millions of Galaxy smartphones — from the Galaxy S9 through the Galaxy S25 — were potentially vulnerable to kernel-level exploitation for the better part of a decade.
The flaw has since been patched by Samsung, but its extraordinary lifespan inside one of the most scrutinized mobile security platforms in the industry raises uncomfortable questions about how long critical bugs can hide even in vendor-developed security components.
What is Samsung KNOX?
Samsung KNOX is a proprietary security platform built into Samsung Android devices that provides:
- Secure enclaves (KNOX Vault) for sensitive data like biometrics and cryptographic keys
- Containerization for separating personal and work profiles
- Kernel integrity monitoring via Samsung's Real-time Kernel Protection (RKP)
- Hardware-backed attestation used by MDM/EMM solutions like Microsoft Intune, VMware Workspace ONE, and others
KNOX is marketed as a defense-in-depth security layer and is a primary reason many enterprise IT departments certify Samsung devices for corporate use. It is evaluated under Common Criteria and government security certifications in multiple countries.
The irony of a kernel exploitation vulnerability residing within the kernel security framework is not lost on the security community.
Vulnerability Details
| Field | Value |
|---|---|
| Vulnerability Class | Use-After-Free (CWE-416) |
| Component | Samsung KNOX security framework |
| Severity | High |
| Affected Devices | Galaxy S9 through Galaxy S25 series |
| Duration of Exposure | ~8 years (introduced ~2017) |
| Impact | Kernel-level code execution |
| Patch Released | June 2026 Samsung Security Maintenance Release |
What is a Use-After-Free Vulnerability?
A use-after-free (UAF) vulnerability occurs when a program continues to use a pointer to memory that has already been freed. In a kernel context, this is particularly dangerous:
- Kernel memory is freed — A data structure in kernel space is deallocated
- Pointer is not cleared — The kernel code retains a reference to the freed memory
- Memory is reallocated — An attacker manipulates memory allocation to place controlled data at the freed location
- Stale pointer is used — The kernel accesses the attacker-controlled memory, executing arbitrary code
Because the kernel runs at the highest privilege level, successful exploitation gives an attacker complete control over the device — bypassing all Android security sandboxes, SELinux policies, and application-layer protections.
Scope of Impact
The Galaxy S9 was released in March 2018, meaning the vulnerable code has been present in flagship Samsung hardware across eight generations of devices and hundreds of millions of units sold globally.
Devices confirmed in the affected range:
| Device Family | Release Year |
|---|---|
| Galaxy S9 / S9+ | 2018 |
| Galaxy S10 series | 2019 |
| Galaxy S20 series | 2020 |
| Galaxy S21 series | 2021 |
| Galaxy S22 series | 2022 |
| Galaxy S23 series | 2023 |
| Galaxy S24 series | 2024 |
| Galaxy S25 series | 2025 |
Note, A, M, and other Galaxy lines using KNOX may also be affected — the full scope depends on whether those devices use the same vulnerable KNOX kernel component.
Exploitation Prerequisites
While the severity is high, exploitation of kernel UAF vulnerabilities typically requires:
- Local code execution on the device — the attacker must already have an app running on the device (via a malicious app install or phishing)
- Reliable heap spray techniques to position attacker-controlled data at the freed memory address
- Kernel symbols and offsets — usually obtained via information disclosure bugs or public kernel sources
The practical attack chain is most likely:
- Victim installs malicious app (app store, sideload, or enterprise MDM)
- App exploits KNOX UAF to escape sandbox and gain kernel privileges
- Full device compromise — extraction of KNOX Vault data, keyloggers, persistent implants
Sophisticated threat actors — particularly nation-state spyware operators — actively chain such vulnerabilities into full device compromise packages.
Samsung's Response
Samsung issued a patch in the June 2026 Security Maintenance Release (SMR). Affected users should:
- Install the June 2026 Samsung security update immediately
- Navigate to Settings → Software update → Download and install
- Verify the patch level reads 2026-06-01 or later
Samsung has not disclosed whether this vulnerability was exploited in the wild prior to the patch.
Why Did This Take Eight Years to Find?
The longevity of this flaw in a security-critical component is notable. Contributing factors likely include:
- Complexity of KNOX's kernel integration — Deep kernel patches are harder to review than userland code
- Proprietary codebase — Unlike AOSP, KNOX modifications are closed-source, limiting external review
- Focus on feature auditing over security auditing — Vendor security reviews often prioritize new feature validation
- Insufficient fuzzing coverage — Use-after-free bugs often require targeted fuzzing with memory safety tooling (KASAN, KMSAN) to surface reliably
This case reinforces the value of continuous security research programs, bug bounty coverage of kernel components, and external security audits of proprietary firmware.
Recommendations
| Action | Priority |
|---|---|
| Apply June 2026 Samsung SMR immediately | Critical |
| Audit MDM policies for Galaxy device patch compliance | High |
| Enable Samsung KNOX attestation checks in MDM | High |
| Review app installs on Galaxy devices — restrict to vetted sources | Medium |
| Consider additional MTD (Mobile Threat Defense) for high-risk roles | Medium |
For Enterprise IT Administrators
Organizations with Galaxy devices enrolled in MDM/EMM platforms should:
- Push the June 2026 patch via MDM with enforcement and deadline policies
- Check KNOX attestation status — compromised KNOX state will trigger attestation failures, which can be used as an indicator
- Review access controls for users on unpatched Galaxy devices with access to sensitive data or VPN
Sources
- SecurityWeek — Eight-Year-Old Samsung KNOX Flaw
- Samsung Mobile Security — June 2026 SMR
- Android Security Bulletins