← All articles

Eight-year-old Samsung KNOX kernel flaw exposed Galaxy S9 through S25

Researchers at LucidBit Labs detailed an eight-year-old use-after-free flaw in the kernel of Samsung's KNOX security framework that affected a huge range of Galaxy devices, from the Galaxy S9 to the S25, across A-series and both Exynos and Qualcomm models. The bug (CVE-2026-20971) sits in a race between two KNOX components that verify process integrity, and a malicious app could exploit it to corrupt kernel memory and potentially take full control of the device. Samsung quietly fixed it in its January 2026 security update. Exploitation requires local access and some user interaction, but a lost, borrowed, or stolen phone makes that realistic.

Check
Confirm that Samsung Galaxy devices in your environment have installed the January 2026 or later security update, and identify any older or unmanaged Galaxy phones that may still be missing it.
Affected
Samsung Galaxy devices from the S9 through S25, plus A-series models on both Exynos and Qualcomm chips (CVE-2026-20971), that have not applied the January 2026 security update.
Fix
Apply the January 2026 or later Samsung security update to all Galaxy devices, enforce update compliance through mobile device management, and retire devices no longer receiving security patches.