Summary: Researchers have developed a proof-of-concept rootkit named Curing that exploits the Linux io_uring interface, enabling it to evade traditional system call monitoring tools. This breakthrough creates significant vulnerabilities in Linux runtime security systems, leaving them susceptible to undetected rootkit activities. Tools like Falco and Tetragon, which depend on system call hooking, are particularly ill-equipped to defend against such threats.
Affected: Linux runtime security tools, specifically Falco and Tetragon
Keypoints :
- The Curing rootkit takes advantage of the io_uring mechanism to operate without invoking traditional system calls.
- This creates significant blind spots for existing security tools, making them ineffective against io_uring-based rootkits.
- Google has limited the use of io_uring in its systems due to its potential for exploitation and the challenges it poses for maintaining system security.
Source: https://thehackernews.com/2025/04/linux-iouring-poc-rootkit-bypasses.html