Platform
other
Component
knoxguardmanager
Fixed in
2026.0.1
CVE-2026-20978 describes an improper authorization vulnerability discovered in KnoxGuardManager, a component of Samsung’s security framework. This flaw allows a local attacker to circumvent the persistence configuration settings of applications. The vulnerability impacts devices running Android 13, 14, and 15 prior to the SMR (Security Maintenance Release) February 2026 release. A fix is available in version 2026.0.1.
Successful exploitation of CVE-2026-20978 allows a local attacker to bypass the intended persistence configuration of applications managed by KnoxGuardManager. This could lead to unauthorized access to sensitive data, modification of application behavior, or even the execution of malicious code within the application's context. The attacker needs physical access to the device to exploit this vulnerability. The blast radius is limited to the affected application and the device itself, as it requires local access.
CVE-2026-20978 was publicly disclosed on February 4, 2026. There is currently no public proof-of-concept (POC) available. The EPSS (Exploit Prediction Scoring System) score is pending evaluation. Given the local attacker requirement, the probability of exploitation is considered low to medium, depending on the prevalence of rooted devices and the attacker's access to the target device.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
The primary mitigation for CVE-2026-20978 is to upgrade to the SMR February 2026 release or later, specifically version 2026.0.1 or higher. If immediate upgrading is not feasible, consider implementing stricter access controls and application sandboxing to limit the potential impact of a successful attack. Monitor device logs for any unusual activity related to KnoxGuardManager or application persistence settings. While a direct detection signature is unlikely, monitoring for unauthorized modifications to application data directories could be indicative of exploitation.
Apply the Samsung Mobile (SMR) security update from February 2026 or later. This update corrects the improper authorization vulnerability in KnoxGuardManager. It is recommended to install the update as soon as it is available to protect the device.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-20978 is a vulnerability in Samsung's KnoxGuardManager that allows local attackers to bypass application persistence configurations on Android devices.
You are affected if you use a Samsung Galaxy device running Android 13, 14, or 15 prior to the SMR February 2026 release (version 2026.0.1).
Upgrade your Samsung Galaxy device to the SMR February 2026 release or later (version 2026.0.1) by applying the latest security update.
There is currently no evidence of active exploitation, but the vulnerability is publicly known.
Refer to the official Samsung Security Bulletin for details: [https://security.samsungmobile.com/ (replace with actual URL when available)]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.