Summary
In Falco versions up to 0.28.0, if the kernel module crashed or blocked indefinitely, Falco would no longer receive system call events. Because Falco did not implement any mechanism to detect this failure condition, attackers who could trigger a kernel module crash could subsequently perform any desired action without Falco generating alerts.
Impact
A successful exploitation of this weakness allows an attacker who can cause the Falco kernel module to crash or block to completely disable runtime security monitoring without detection. All system call-based rules would silently stop firing, providing the attacker with an unmonitored window of arbitrary duration. Any user running Falco up to version 0.28.0 with the kernel module driver was affected by this issue.
Detection
No automated detection method for this failure condition is described in the advisory. Operators should implement external process health monitoring for the Falco service (for example, via systemd service state checks or a watchdog process) to detect unexpected terminations. Verifying that the kernel module remains loaded via lsmod | grep falco and monitoring for gaps in Falco alert output are additional indicators that the module may have stopped functioning.
Mitigation
Upgrade Falco to 0.28.1 or later. No configuration workaround exists for this issue — a version upgrade is required, as the fix adds a mechanism to detect kernel module failure.