On July 19, 2024, CrowdStrike released a content configuration update (Channel File 291) for its Falcon Windows sensor. This update, intended to gather telemetry on novel threat techniques, contained an error that caused system crashes on affected Windows hosts. The issue was identified and a fix deployed within 78 minutes of the update’s release.

The incident stemmed from a mismatch in the content update. The Falcon sensor expected 20 input fields, but the update provided 21. This discrepancy led to an out-of-bounds memory read, which in turn caused the Windows operating system to crash. A logic error in CrowdStrike’s Content Validator, which performs control checks before deployment, failed to detect this issue.

The problematic content update resulted in system crashes for a significant number of Windows machines running the Falcon sensor. While a fix was rapidly deployed, many customers experienced downtime. By July 29, 2024, approximately 99% of Windows sensors were reported back online, indicating a substantial recovery effort.

CrowdStrike has implemented several measures to prevent recurrence. These include updating Content Configuration System test procedures, adding deployment layers and acceptance checks, and providing customers with more control over Rapid Response Content updates. Validation for input field counts has been implemented, and additional checks are being added to the Content Validator, along with enhanced bounds checking in the Content Interpreter. Third-party security vendors are also reviewing the Falcon sensor code and quality control processes.