Major Linux Security Flaw: io_uring Bypass Leaves Security Tools Blind
2025-04-24
ARMO researchers have uncovered a critical vulnerability in Linux's io_uring asynchronous I/O interface, rendering most runtime security tools, including Falco, Tetragon, and Microsoft Defender, unable to detect rootkits exploiting it. Attackers can leverage io_uring to bypass syscall monitoring, enabling stealthy operations. ARMO's proof-of-concept rootkit, 'Curing,' demonstrates the severity by operating entirely through io_uring. While some vendors have responded with fixes, widespread exposure remains. The research highlights the need for security vendors to adopt mechanisms like KRSI for enhanced detection capabilities.
Read more
Tech
Linux Security