An unprivileged attacker can hide a process from procps-ng's utilities, by exploiting either a denial of service (a rather noisy method) or a race condition inherent in reading /proc/PID entries (a stealthier method). https://security.archlinux.org/CVE-2018-1121 https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt