https://www.armosec.io/blog/io_uring-rootkit-bypasses-linux-security/
ARMO researchers reveal a major blind spot in Linux runtime security tools caused by the io_uring interface—an asynchronous I/O mechanism that bypasses traditional system calls. Most tools, including Falco, Tetragon, and Microsoft Defender fail to detect rootkits using io_uring because they rely on syscall monitoring. ARMO’s proof-of-concept rootkit, Curing, operates fully via io_uring to demonstrate the threat. While some vendors responded with fixes or workarounds, the broader industry remains exposed. ..
