When Killing a Process Doesn't Kill the Risk: How PID Reuse and Stale eBPF State Caused Cascading False Positives in KernelEye

May 5 · 12 min read · During kernelEye detection rule adjustments, I encountered an interesting bug worth sharing. The issue can be reproduced and understood within a few minutes through the write-up or the debugging video