EIP-2026-100056

PRE-CVE

Google Android - RKP EL1 Code Loading Bypass

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-100056. PoCs published by Google Security Research.

AI-analyzed exploit summary The writeup details a vulnerability in Samsung KNOX's RKP hypervisor where certain memory regions are incorrectly marked as RWX in both stage 1 and stage 2 translation tables, allowing arbitrary code execution in EL1. The issue arises due to mismatched protection ranges between the kernel text region and the broader reserved physical address range.

Description

Google Android - RKP EL1 Code Loading Bypass

Exploits (1)

exploitdb WRITEUP VERIFIED

by Google Security Research · textlocalandroid

https://www.exploit-db.com/exploits/41217

View Code ZIP pw:eip

The writeup details a vulnerability in Samsung KNOX's RKP hypervisor where certain memory regions are incorrectly marked as RWX in both stage 1 and stage 2 translation tables, allowing arbitrary code execution in EL1. The issue arises due to mismatched protection ranges between the kernel text region and the broader reserved physical address range.

Classification

Writeup 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Samsung KNOX with RKP (Real-time Kernel Protection)

No auth needed

Prerequisites: Physical or privileged access to a Samsung device with KNOX and RKP enabled

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026