← Incident Index
CivilizationalCybersecurity·July 19, 2024Draft

CrowdStrike: Falcon sensor channel-file update crashes 8.5M Windows hosts

A defective rapid-response content update to the Falcon endpoint sensor was deployed simultaneously to all production hosts, causing kernel-level crashes on ~8.5 million Windows machines worldwide.

Velocity Governance perspective· Sentinel-10 overlap: 2 of 4

2 of the 4 practices that failed in this incident are part of the Sentinel-10 — the engineering protocols Concordance flags as most degraded under AI-accelerated development.

This incident pre-dates today's AI-velocity surge. The thesis is that the same practices that failed here will fail faster under AI velocity if not actively governed. Read the Velocity Governance thesis →

Impact

$10.0B
Economic impact
8.5M
Affected
24h
Downtime
US House Homeland Security hearing
Regulatory action

Estimated $10B+ economic impact. Grounded airlines (Delta alone reported $500M loss), shut hospitals, halted broadcasts. Largest single IT outage in history.

Root cause (from published RCA)

A new Template Type for IPC detections was introduced and validated through Content Validator. The Content Configuration System later passed a Template Instance to the sensor that contained problematic content data, which the Content Interpreter could not gracefully handle. The new content was deployed to all hosts simultaneously without staged rollout.

Concordance protocols that map to this root cause

Click any protocol to see every other indexed incident where it failed.

Protocol 4.2CI Gating· Testingsee all incidents →
CI gating did not block the defective content update from reaching production despite being a binary-safety change to kernel-mode software.
Protocol 5.7Rollback Capability· ReleaseSENTINELsee all incidents →
No rollback path independent of the defective software itself; affected hosts required manual recovery.
Protocol 5.8Feature Flagging· ReleaseSENTINELsee all incidents →
No feature flagging / staged rollout for content updates — global simultaneous deployment.
Protocol 5.4Release Approval· Releasesee all incidents →
Release approval process did not require canary deployment for content updates classified as low-risk despite kernel-mode reach.

Primary sources

CrowdStrike External Technical Root Cause Analysis — Channel File 291
CrowdStrike · August 6, 2024
Falcon Content Update Preliminary PIR
CrowdStrike · July 24, 2024

Related incidents

Other incidents that failed at least one of the same protocols.

FastlyJun 2021
Single customer config change triggers global Fastly CDN outage
Knight Capital GroupAug 2012
Knight Capital loses $440M in 45 minutes from incomplete software depl…
CodecovApr 2021
Codecov bash-uploader supply-chain compromise exfiltrates customer sec…
#supply-chain#rollback-failure#staged-rollout#config-management#endpoint-security
Check your repo against these protocols.
Concordance scores any public GitHub repo against all 50 engineering protocols in 60 seconds. No signup, no install.
Run a free scan →
Concordance Incident Index entry · CC BY 4.0 · Methodology · Errata: hello@concordancelabs.com