The CrowdStrike Outage
A single bad sensor configuration shipped by a single endpoint vendor blue-screened 8.5 million Windows machines on a Friday morning in July.
The CrowdStrike outage of July 19, 2024 was not, strictly, a cyberattack. It was the inverse — a routine update from a major cybersecurity vendor that crashed every machine it touched. By the end of the day, 8.5 million Windows hosts running CrowdStrike Falcon had blue-screened into an unrecoverable boot loop.
What actually happened
CrowdStrike pushed what it calls a Rapid Response Content update — a small file describing new detection logic for the Falcon sensor. The file was malformed in a way that triggered an unhandled out-of-bounds read in the sensor's kernel-mode driver. Because the driver loaded at boot, every machine that ingested the bad update crashed on its very next start.
The scope was extraordinary. Delta, United, and American Airlines grounded flights. London Stock Exchange Group services degraded. UK GP surgeries lost access to patient records. Hospitals across the United States went on diversion. Australian payment terminals went dark. Recovery often required hands-on access to each machine to delete a single file in safe mode — work that, multiplied across millions of hosts, took some organizations weeks.
What the chronicle remembers
The CrowdStrike incident is the cleanest demonstration to date of how concentrated the operating-system-and-defender stack has become. A signed, trusted, kernel-resident agent from a single vendor sits at the heart of a substantial fraction of business computing. When it misfires, the world misfires. The attack surface and the defense surface have, in many cases, become the same surface.