Summary
Falco versions before 0.18.0 crash when the Kubernetes audit event web server receives an HTTP request containing malformed JSON data. An attacker with access to the port exposed by Falco's embedded web server can send a single malformed request to crash the process, disabling runtime security monitoring. This vulnerability was identified as FAL-01-003 in the Falco security audit published in 2019.
Impact
Any actor with network access to Falco's Kubernetes audit endpoint port can crash the Falco process by sending a single HTTP request with malformed data, such as a JSON body where the kind field is set to a non-string value. This takes down all Falco rule evaluation and alert generation for the duration of the outage. The precondition is network access to the web server port — no authentication or special privileges are required beyond that.
Detection
No automated detection method specific to this crash is described in the advisory. Monitor the Falco process for unexpected terminations via service health checks or systemd unit state. Inspect HTTP access logs for the Kubernetes audit endpoint to identify malformed request attempts correlated with crash events.
Mitigation
Upgrade Falco to 0.18.0 or later.
Workaround: Users who do not need Kubernetes Audit Event detection can disable the embedded web server in Falco's configuration. A version upgrade is strongly recommended regardless.