Researchers found an eight-year old high severity vulnerability affecting nearly all Samsung devices from the Galaxy S9 to S25 living within the KNOX kernel.
The flaw (CVE‑2026‑20971, CVSS 7.8) could be exploited through the interaction between PROCA and FIVE. PROCA, the process authenticator, is a proprietary subsystem in the kernel of the Samsung devices designed to prevent unauthorized processes from executing. It validates process authenticity using FIVE, the kernel side integrity subsystem, based on the Linux integrity-measurement model and extended by Samsung.
FIVE tracks trust in each running process, applying a task_integrity object that records its security state. If the process changes, perhaps it forks a child, the child invokes execve() which triggers a new integrity and drops the old one. This should be instantaneous – but enter Android’s preemptive Kernel within which it all runs. The net effect is a tiny window which, if reachable, is a classic race-condition use-after-free (UAF) target.
Because of the preemptive kernel, a thread can be suspended between reading the pointer and using it. “The target task executes execve(), specifically task_integrity_put(old_tint), freeing the original struct. proc_integrity_value_read() resumes and calls task_integrity_user_read() with a pointer to freed memory,” reports the LucidBit Labs researchers who discovered the flaw.











