[elastic agent] Document known issue described in elastic/endpoint#90 (#2126)

Documents known issue described in
[elastic/endpoint#90](elastic/endpoint#90).

cc @gabriellandau

---------

Co-authored-by: Gabriel Landau <[email protected]>

Author: colleenmcginnis

release-notes/elastic-security/known-issues.md

@@ -8,14 +8,35 @@ Known issues are significant defects or limitations that may impact your impleme
 % Use the following template to add entries to this page.
 
 % :::{dropdown} Title of known issue
-% Applies to: Applicable versions for the known issue 
+% Applies to: Applicable versions for the known issue
 % Description of the known issue.
 % For more information, check [Issue #](Issue link).
 % **Impact**<br> Impact of the known issue.
 % **Workaround**<br> Steps for a workaround until the known issue is fixed.
 
 % :::
 
+:::{dropdown} Elastic Defend's Network driver may lead to bug checks
+
+**Applies to: {{agent}} 8.17.8, 8.18.3, and 9.0.3**
+
+On July 8, 2025, a known issue was discovered in Elastic Defend's network driver that may lead to kernel pool corruption, resulting in bug checks (BSODs) on Windows systems with a large number of long-lived network connections that remain inactive for 30+ minutes. This issue has only been observed on Windows Server.
+
+The system may bug check with any of a variety of codes such as `SYSTEM_SERVICE_EXCEPTION` or `PAGE_FAULT_IN_NONPAGED_AREA`.
+
+For more information, check [elastic/endpoint#90](https://github.com/elastic/endpoint/issues/90).
+
+**Workaround**
+
+If you're on 9.0.3, upgrade to the fixed version: [9.0.3+build202507110136](https://www.elastic.co/downloads/past-releases/elastic-agent-9-0-3+build202507110136).
+
+If you're on 8.18.3, upgrade to the fixed version: [8.18.3+build202507101319](https://www.elastic.co/downloads/past-releases/elastic-agent-8-18-3+build202507101319).
+
+If you're on 8.17.8, downgrade to 8.17.7 or install 8.17.9 once it becomes available.
+
+If you're unable to upgrade or downgrade, set `advanced.kernel.network: false` in your Defend advanced policy.
+:::
+
 :::{dropdown} Security AI Assistant Knowledge Base settings UI not displaying
 
 Applies to: 9.0.3
@@ -62,7 +83,7 @@ After enabling the Knowledge Base, you can manage entries using the AI Assistant
   }
   ```
 
-**Resolved**<br> 
+**Resolved**<br>
 
 Resolved in {{stack}} 9.0.4
 :::
@@ -102,9 +123,9 @@ PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipelin
 }
 ```
 
-After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the **Entity risk score** page, where you can also manually run the risk score by clicking **Run Engine**. 
+After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the **Entity risk score** page, where you can also manually run the risk score by clicking **Run Engine**.
 
-**Resolved**<br> 
+**Resolved**<br>
 
 Resolved in {{stack}} 9.0.3
 
@@ -114,13 +135,13 @@ Resolved in {{stack}} 9.0.3
 
 Applies to: {{stack}} 9.0.0
 
-On April 10, 2025, it was discovered that when you install a new {{elastic-defend}} integration or agent policy, the installed prebuilt detection rules upgrade to their latest versions (if any new versions are available). The upgraded rules lose any user-added rule actions, exceptions, and customizations.  
+On April 10, 2025, it was discovered that when you install a new {{elastic-defend}} integration or agent policy, the installed prebuilt detection rules upgrade to their latest versions (if any new versions are available). The upgraded rules lose any user-added rule actions, exceptions, and customizations.
 
 **Workaround**
 
 To resolve this issue, before you add an {{elastic-defend}} integration to a policy in {{fleet}}, apply any pending prebuilt rule updates. This will prevent rule actions, exceptions, and customizations from being overwritten.
 
-**Resolved**<br> 
+**Resolved**<br>
 
 Resolved in {{stack}} 9.0.1
 
@@ -132,7 +153,7 @@ Applies to: {{stack}} 9.0.0 and 9.0.1
 
 On April 8, 2025, it was discovered that alert suppression for event correlation rules is incorrectly shown as being in technical preview when you create a new rule. For more information, check [#1021](https://github.com/elastic/docs-content/issues/1021).
 
-**Resolved**<br> 
+**Resolved**<br>
 
 Resolved in {{stack}} 9.0.2
 
@@ -145,11 +166,11 @@ Applies to: {{elastic-defend}} 9.0.0
 
 An `IRQL_NOT_LESS_EQUAL` [bugcheck](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-) in the {{elastic-defend}} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls [`FwpmTransactionBegin0`](https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0) to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {{elastic-defend}} driver from properly initializing in a timely manner. Subsequent system activity can invoke {{elastic-defend}}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {{elastic-defend}} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0.
 
-**Workaround**<br> 
+**Workaround**<br>
 
-If you can't upgrade, either disable Trellix Access Protection or add a [Trellix Access Protection exclusion](https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html) for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). 
+If you can't upgrade, either disable Trellix Access Protection or add a [Trellix Access Protection exclusion](https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html) for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`).
 
-**Resolved**<br> 
+**Resolved**<br>
 
 Resolved in {{elastic-defend}} 9.0.1
 
@@ -162,7 +183,7 @@ Applies to: {{elastic-defend}} 9.0.0
 
 An unbounded kernel non-paged memory growth issue in {{elastic-defend}}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {{elastic-defend}} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0
 
-**Workaround**<br> 
+**Workaround**<br>
 
 If you can't upgrade, turn off the relevant event source at the kernel level using your {{elastic-defend}} [advanced policy settings (optional)](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#adv-policy-settings):
 
@@ -171,7 +192,7 @@ If you can't upgrade, turn off the relevant event source at the kernel level usi
 
 Note that clearing the corresponding checkbox under [event collection](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#event-collection) is insufficient, as {{elastic-defend}} may still process these event sources internally to support other features.
 
-**Resolved**<br> 
+**Resolved**<br>
 
 Resolved in {{elastic-defend}} 9.0.1
 

release-notes/fleet-elastic-agent/known-issues.md

@@ -17,6 +17,7 @@ Known issues are significant defects or limitations that may impact your impleme
 
 % :::
 
+
 :::{dropdown} [Windows] {{agent}} is unable to re-enroll into {{fleet}}
 
 **Applies to: {{agent}} 9.0.0, 9.0.1, 9.0.2 (Windows only)**