Linux Kernel Vulnerability: io_uring Rootkit Bypasses Traditional Security
2025-04-24
New research reveals a Linux rootkit, "Curing," leveraging the kernel's io_uring feature to stealthily bypass many existing security tools. Curing uses io_uring for malicious activities like network connections or file tampering without triggering alarms in system call-based security mechanisms. This is particularly dangerous for eBPF-based tools, which often monitor only system calls, neglecting io_uring. The discovery poses a serious threat to cloud-native businesses relying on these detection systems. ARMO's CADR solution can block such attacks; its automatic Seccomp Profile management allows disabling unnecessary system calls like io_uring.
Tech
Linux security