I’ve previously written about io_uring, possibly one of the more exciting kernel developments in recent memory, aiming to improve the performance of fundamental I/O operations.

But it’s not without major fault. A post from Google’s security describes how in the year leading up to June 2023 60% of reported vulnerabilities were in io_uring, and Google’s paid out $1 million USD for io_uring exploits.

Due to high risk of compromise, Google’s turned it off in their properties:

• ChromeOS: Disabled, with exploration into sandboxing it.

• Android: Unreachable from apps. Future releases will lean on SELinux to limit io_uring access to select system processes.

• Disabled on Google production servers.