TokenDanceMY

The io_uring Bug That Handed Attackers Root: Why 'Fast' and 'Secure' Keep Fighting Each Other in Linux

A performance shortcut built into Linux became a master key — and most security tools never saw it coming.

TokenDance Editors·11 May 2026
The io_uring Bug That Handed Attackers Root: Why 'Fast' and 'Secure' Keep Fighting Each Other in Linux

What io_uring Actually Is — And Why It Was Built This Way

Think of the traditional way a program talks to the Linux kernel like queuing at a bank counter. Every time your app needs to read a file or send a network packet, it has to walk up to the counter, make a request, wait, and walk back. That waiting — called a system call — adds overhead, especially when you're doing thousands of I/O operations per second. io_uring, introduced in Linux kernel version 5.1 in March 2019, replaces this with something more like a Touch 'n Go lane. Instead of stopping at the counter each time, requests are dropped into a shared ring buffer — a circular queue — between the application and the kernel. The kernel processes them asynchronously and drops results into a separate completion queue. The app keeps running without waiting. This architecture reduces the number of system calls required and minimises the overhead from frequent transitions between user space and kernel space. The performance gains are real and significant, which is why io_uring was celebrated as one of the greatest Linux kernel innovations in recent years. The problem, as ARMO's research makes clear, is architectural: because io_uring bypasses the system call layer for actual operations, any security tool built around monitoring system calls is effectively blind to what io_uring is doing.

What io_uring Actually Is — And Why It Was Built This Way

The Specific Bug That Handed Out Root Access

The performance focus baked into io_uring's design isn't just a monitoring problem — it has also produced direct privilege escalation vulnerabilities. CVE-2023-2598, dubbed 'Conquering the memory through io_uring,' is a documented example tracked by Oracle's Ksplice team. The vulnerability exists in io_uring's buffer registration code path. An optimisation in that code path gave a local user access to memory pages beyond the valid limit — essentially reading outside the boundaries that should have been enforced. By exploiting this, an unprivileged local user could escalate to root privileges. The fix corrects the boundary enforcement, but here is the uncomfortable truth Oracle's team highlights: once a code path is fixed, a system administrator gets no alert if someone tries the same exploit again. The fixed code simply works correctly and silently. Oracle's Ksplice addresses this with what they call Known Exploit Detection — tripwires laid alongside the fix so that any attempt to read beyond the valid pages is detected and logged, generating a warning through systemd's journald service. The logged output identifies the CVE, the process ID, and the binary attempting the exploit. This distinction between fixing a vulnerability and detecting exploitation attempts is one that most patching workflows completely miss.

The Specific Bug That Handed Out Root Access

This Is a Pattern, Not a One-Off: Google Paid Out $1 Million to Prove It

CVE-2023-2598 is not an isolated incident. Google's own data tells the story bluntly. Through its kCTF Vulnerability Rewards Program, Google found that 60% of submissions were centred on io_uring. Google paid out around one million USD worth of io_uring vulnerability bounties. The response was decisive: Google disabled io_uring on ChromeOS entirely until a proper sandboxing solution is found. On Android, a seccomp-bpf filter blocks apps from using it, with future Android releases planned to use SELinux to restrict io_uring to select system processes. Google also disabled io_uring on its production servers and is working on disabling it by default in GKE Autopilot. Google's own security blog described io_uring as providing 'strong exploitation primitives' — meaning it gives attackers powerful tools to work with once they find a foothold. This is the recurring pattern with performance-oriented kernel features: the same architectural choices that make them fast — reduced checkpoints, shared memory regions, kernel bypass — expand the attack surface in ways that take years of bug bounties and real-world exploits to fully map out.

This Is a Pattern, Not a One-Off: Google Paid Out $1 Million to Prove It

Sources

  1. [1]Ksplice Known Exploit Detection for io_uring, glibc, overlayfs and netfilterOracle Blogs
  2. [2]Linux Has A Blind Spot That Exposes Users To A Nasty Security FlawHotHardware
  3. [3]Linux io_uring PoC Rootkit Bypasses System Call-Based Threat Detection ToolsThe Hacker News
  4. [4]Claude Code Used to Find Remotely Exploitable Linux Kernel Vulnerability Hidden for 23 Yearsinfoq.com
  5. [5]Linux 'io_uring' security blindspot allows stealthy rootkit attacksBleepingComputer
  6. [6]Google Limiting IO_uring Use Due To Security VulnerabilitiesPhoronix
  7. [7]Ksplice Known Exploit Detection for DirtyCred Remastered, io_uring, A_PACKET, Looney Tunables and more...Oracle Blogs
  8. [8]Using Ksplice To Detect Exploit AttemptsOracle Blogs
  9. [9]Ksplice Known Exploit Detection for io_uring, glibc, overlayfs and netfilterOracle Blogs
  10. [10]Learnings from kCTF VRP's 42 Linux kernel exploits submissionsblog.google
  11. [11]Linux malware can avoid syscall-based endpoint protectionThe Register
  12. [12]Kubernetes Security Starts With the SyscallHackerNoon
  13. [13]Ksplice Known Exploit Detection for DirtyCred Remastered, io_uring, A_PACKET, Looney Tunables and more...Oracle Blogs
  14. [14]AppArmor Adds IO_uring Mediation & Some Performance OptimizationsPhoronix

Comments

No comments yet — be the first to weigh in.