A critical vulnerability exists in Linux’s security framework, revealing that many runtime security tools struggle to detect threats operating via the io_uring interface.

This discovery exposes a critical gap in protection for Linux-based systems across cloud environments and data centers worldwide.

The research team at ARMO has demonstrated that popular security solutions, including CrowdStrike’s Falcon, Microsoft Defender, Falco, and Tetragon, are effectively “blind” to malicious activities performed via io_uring—an asynchronous I/O mechanism introduced in Linux 5.1 that allows applications to bypass traditional system calls.

This vulnerability affects nearly all commercial Linux runtime security tools that rely on system call monitoring for threat detection.

“We decided to create Curing and release it publicly… to raise awareness about io_uring as an overlooked mechanism that attackers can exploit,” ARMO researchers stated in their report.

Despite io_uring being available for years and previously identified as potentially problematic, security vendors have largely failed to address this gap in their monitoring capabilities.

Proof-of-Concept & Real-World Threat

To prove the significance of this vulnerability, ARMO developed “Curing,” a fully functional rootkit that operates exclusively through io_uring operations.

This proof-of-concept malware can establish command and control communications, access sensitive files, and execute malicious commands while remaining undetected by standard security solutions.

Researchers found alarming results when testing major security products against their rootkits. CrowdStrike’s Falcon agent failed to detect sensitive file access operations performed through io_uring, effectively bypassing all file system visibility.

Similarly, Microsoft Defender for Endpoint on Linux missed multiple attack indicators, including malware drops and suspicious network connections.

According to a senior vice president at one of the top cybersecurity companies quoted in the report, “We take this very seriously as it bypasses all our file system visibility”.

Vendor responses to this security gap have been mixed. CrowdStrike quickly acknowledged the issue and delivered a fix that adds visibility into io_uring-based operations. SentinelOne confirmed that their agent is not affected by this vulnerability.

In contrast, Microsoft was reportedly unresponsive despite multiple attempts by researchers to communicate their findings. Open-source projects had varied responses—Falco maintainers acknowledged the issue and are working on a plugin for deeper visibility, while Tetragon developers pointed out that their tool can detect io_uring operations, but only if specifically configured to do so.

The report outlines several approaches that security vendors can implement to address this vulnerability. These include detecting anomalous usage of io_uring, implementing KRSI (Kernel Runtime Security Instrumentation), and finding alternative hook points across the Linux stack.

“KRSI offers native integration with the Linux security layer, enabling deep visibility into kernel-level events. It’s an evolving and promising technology that aligns well with the need for modern, flexible detection strategies,” the researchers noted.

With Linux as the foundation for most cloud infrastructure, this vulnerability impacts organizations across all sectors. The researchers emphasize that security vendors must adapt their detection strategies beyond simple syscall monitoring to ensure comprehensive protection against increasingly sophisticated attack techniques.

This discovery highlights the challenges security vendors face in keeping pace with evolving attack techniques and underscores the importance of comprehensive monitoring approaches that can adapt to new kernel features and bypass methods.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy