Linux has long been synonymous with stability and security, especially in enterprise environments where reliability is essential. However, even the most robust systems are not exempt from hidden vulnerabilities.
Security researchers have identified a critical gap in the Linux runtime environment related to io_uring, a modern interface designed to optimize kernel input/output operations. This weakness allows rootkits to hide effectively, operating under the radar without being detected by advanced security solutions.
To demonstrate the viability of this attack vector, the researchers developed a proof-of-concept rootkit called “Curing,” which exploits the internal structures of io_uring to remain active even after its visible traces are removed from the system.
The finding not only compromises system integrity, but poses a direct challenge to many traditional detection tools. Understanding how this vulnerability works (and what can be done to mitigate it) has become an urgent priority for system administrators and IT professionals committed to the actual security of their Linux environments.
io_uring is a modern interface introduced in 2019 in the Linux kernel (as of version 5.1) designed to improve the performance of input/output (I/O) operations. It was created by Jens Axboe, lead developer of block I/O in Linux, and allows applications to perform asynchronous I/O operations without the high context and locking costs of traditional system calls. Key benefits of io_uring:
Faster I/O operations.
Lower CPU usage.
Ideal for high performance applications such as web servers, databases and file systems.
Instead of using typical system calls, which are often slow and can slow down processes, io_uring does things much more efficiently. What it does is to use “ring buffers” that are shared between the program and the Linux kernel. Thus, input/output requests (such as reading or writing files) are queued and processed asynchronously, without blocking anything. This allows the program to continue running uninterrupted while the system takes care of the rest in the background.
But like any low-level component in the kernel, if not properly managed, it can become a critical entry point for sophisticated attacks.
Read more: How to detect Medusa Ransomware with Wazuh?
The big problem with this vulnerability in Linux is that many of today's security tools focus on monitoring system calls and techniques known as ptrace or seccomp. The troubling detail? Everything that goes through io_uring is off their radar. It's as if they have a blind spot right where the most dangerous things could be happening.
The most alarming thing is that io_uring is not a simple interface: it supports more than 60 types of operations, from reading and writing files, network connections, running processes, changing permissions, to reading directories. Basically, everything necessary for a rootkit to operate without arousing suspicion.
In fact, the risk is so real that Google decided to disable io_uring by default on Android and ChromeOS, systems that are also based on the Linux kernel. That's saying enough.
To demonstrate how serious the issue is, a rootkit called Curing was developed. This small program connects to a remote server, receives instructions and executes them directly via io_uring, all without triggering any alerts in traditional monitoring systems.
And what happened when several well-known security tools were tested? Most failed to detect absolutely nothing.
For example:
Falco saw nothing, even using custom rules to try to identify the behavior.
Tetragon, under its default settings, didn't flag anything suspicious either.
Of course, Tetragon's managers clarified that their platform is flexible and can be configured to detect these types of attacks. They also shared an interesting technical publication on how to address the problem, although by default it does not offer such protection.
In addition, when testing commercial security tools (whose names were not disclosed), it was confirmed that many also failed to detect malicious activity related to io_uring. In short: if the malware doesn't use classic system calls, most current defenses don't see it coming.
The good news? The Curing rootkit is available on GitHub, in case you want to test it yourself and assess whether your environment is exposed.
And as a long-term solution, it is suggested to start using technologies like KRSI (Kernel Runtime Security Instrumentation), which allow you to hook eBPF programs directly to security-related kernel events. This would open the door to much more complete monitoring, even for components such as io_uring.