Summary
Falco versions before 0.18.0 expose a Kubernetes audit event web server whose request handlers share a non-thread-safe Lua state. Sending concurrent HTTP requests to this endpoint causes Falco to crash, allowing external actors to shut down runtime security monitoring. The vulnerability requires the Falco gRPC server and gRPC outputs API to both be enabled and a gRPC client to be consuming Falco alerts at the time of the attack.
Impact
An attacker with network access to Falco's audit web server port can crash the Falco process by sending concurrent requests, effectively disabling all runtime rule enforcement for the duration of the outage. Because the Lua state is not thread-safe by design, there is no safe configuration short of disabling the web server entirely. Any user running Falco before version 0.18.0 with the Kubernetes audit endpoint exposed is affected.
Detection
No specific automated detection method for this crash is described in the advisory. Monitor the Falco process for unexpected terminations using host-level service monitoring or systemd unit state checks. Correlate crash timestamps with inbound HTTP request logs to the Kubernetes audit endpoint to identify exploitation attempts.
Mitigation
Upgrade Falco to 0.18.0 or later.
Workaround: Users who do not need to detect Kubernetes Audit Events can disable the embedded web server from the Falco configuration. If the Kubernetes audit web server cannot be disabled, a version upgrade is required — the Lua state is not thread-safe by design and cannot be made safe through configuration alone.