A recent update to the CrowdStrike Falcon sensor is causing significant issues for Windows users worldwide. This update is leading to blue screen of death (BSOD) loops and making systems inoperable.
The issue, which began on July 19, 2024, affects Windows 10 & 11 systems running CrowdStrike’s endpoint security software. Users report experiencing repeated BSODs with the error message “DRIVER_OVERRAN_STACK_BUFFER,” which prevents normal system boot and operation.
CrowdStrike has acknowledged the problem, stating they are “aware of reports of crashes on Windows hosts related to the Falcon Sensor” and that their engineering teams are working to resolve the issue.
The company advises affected users to wait to open individual support tickets. This update’s impact has been particularly severe for enterprise customers, with some organizations reporting that thousands of devices, including critical production servers and SQL nodes, have been affected. IT departments are scrambling to mitigate the damage, with some resorting to removing CrowdStrike-related files from affected systems to restore functionality.
This incident highlights the potential risks associated with automatic updates for security software, especially in enterprise environments. Many affected users are now calling for more rigorous testing procedures and the implementation of staged rollout policies to prevent similar incidents in the future.
Major services like banks, media, Airlines, Microsoft services and stock exchanges were affected. Specifically, in the United States, ground stops have been mandated by United, Delta and American Airlines, and 911 service outages in Alaska, Arizona and New Hampshire.
As the situation develops, CrowdStrike expects to provide further updates and a permanent fix for the issue. In the meantime, affected users should monitor official CrowdStrike communication channels for guidance on recovery procedures and temporary workarounds. CrowdStrike CEO George Kurtz added that the issue has been identified and isolated, and a fix has been deployed. He added that this “was not a security incident or cyberattack.”
Microsoft has confirmed that it is investigating an “issue” affecting its 365 applications and operating systems, cautioning users to anticipate “service degradation.”
How to check if the CrowdStrike sensor version is affected by the BSOD issue
- Identify your sensor version – boot into Safe Mode and check the CrowdStrike Falcon sensor version installed on your system. The problematic update is affects various sensor versions, including version 6.58.
- Check the installation date – look at the installation date of the CrowdStrike Falcon sensor. If it coincides with the onset of BSOD issues (around July 19, 2024), it is likely to be the cause.
- Look for specific error messages. The BSOD error associated with this issue is “DRIVER_OVERRAN_STACK_BUFFER.” If you see this error, your system is likely affected.
Possible Workarounds
- Boot Windows into Safe Mode or the Windows Recovery Environment
- Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291*.sys” and delete it.
- Boot the host normally.
Please note that these workarounds are not fully verified; we await further updates.
Grassi is closely monitoring this developing story and will provide an update with the latest information.