This seems to be misinformation? The CrowdStrike KB says this was due to a Linux kernel bug.
---
Linux Sensor operating in user mode will be blocked from loading on specific 6.x kernel versions
Published Date: Apr 11, 2024
Symptoms
In order to not trigger a kernel bug, the Linux Sensor operating in user mode will be prevented from loading on specific 6.x kernel versions with 7.11 and later sensor versions.
Applies To
Linux sensor 7.11 in user mode will be prevented from loading:
For Ubuntu/Debian kernel versions:
6.5 or 6.6
For all distributions except Ubuntu/Debian, kernel versions:
6.5 to 6.5.12
6.6 to 6.6.2
Linux sensor 7.13 in user mode will be prevented from loading:
For all distributions except Ubuntu/Debian, kernel versions:
6.5 to 6.5.12
6.6 to 6.6.2
Linux Sensors running in kernel mode are not affected.
Resolution
CrowdStrike Engineering identified a bug in the Linux kernel BPF verifier, resulting in unexpected operation or instability of the Linux environment.
In detail, as part of its tasks, the verifier backtracks BPF instructions from subprograms to each program loaded by a user-space application, like the sensor. In the bugged kernel versions, this mechanism could lead to an out-of-bounds array access in the verifier code, causing a kernel oops.
This issue affects a specific range of Linux kernel versions, that CrowdStrike Engineering identified through detailed analysis of the kernel commits log. It is possible for this issue to affect other kernels if the distribution vendor chooses to utilize the problem commit.
To avoid triggering a bug within the Linux kernel, the sensor is intentionally prevented from running in user mode for the specific distributions and kernel versions shown in the above section
These kernel versions are intentionally blocked to avoid triggering a bug within the Linux kernel. It is not a bug with the Falcon sensor.
Sensors running in kernel mode are not affected.
No action required, the sensor will not load into user mode for affected kernel versions and will stay on kernel mode.
For Ubuntu 22.04 the following 6.5 kernels will load in user mode with Falcon Linux Sensor 7.13 and higher:
6.5.0-1015-aws and later
6.5.0-1016-azure and later
6.5.0-1015-gcp and later
6.5.0-25-generic and later
6.5.0-1016-oem and later
If for some reason the sensor needs to be switched back to kernel mode:
Switch the Linux sensor backend to kernel mode
sudo /opt/CrowdStrike/falconctl -s --backend=kernel
---
Linux Sensor operating in user mode will be blocked from loading on specific 6.x kernel versions
Published Date: Apr 11, 2024 Symptoms
In order to not trigger a kernel bug, the Linux Sensor operating in user mode will be prevented from loading on specific 6.x kernel versions with 7.11 and later sensor versions.
Applies To Linux sensor 7.11 in user mode will be prevented from loading:
For Ubuntu/Debian kernel versions:
6.5 or 6.6
For all distributions except Ubuntu/Debian, kernel versions:
6.5 to 6.5.12
6.6 to 6.6.2
Linux sensor 7.13 in user mode will be prevented from loading:
For Ubuntu 22.04 running the 6.5 kernel:
6.5.0 - 6.5.0-1014-aws 6.5.0- 6.5.0-1015-azure 6.5.0 - 6.5.0-1014-gcp 6.5.0 - 6.5.0-24-generic 6.5.0 - 6.5.0-1015-oem Ubuntu kernel version:
6.6 to 6.6.2 For Debian kernel version:
6.5 to 6.5.12
6.6 to 6.6.2
For all distributions except Ubuntu/Debian, kernel versions:
6.5 to 6.5.12
6.6 to 6.6.2
Linux Sensors running in kernel mode are not affected.
Resolution CrowdStrike Engineering identified a bug in the Linux kernel BPF verifier, resulting in unexpected operation or instability of the Linux environment.
In detail, as part of its tasks, the verifier backtracks BPF instructions from subprograms to each program loaded by a user-space application, like the sensor. In the bugged kernel versions, this mechanism could lead to an out-of-bounds array access in the verifier code, causing a kernel oops.
This issue affects a specific range of Linux kernel versions, that CrowdStrike Engineering identified through detailed analysis of the kernel commits log. It is possible for this issue to affect other kernels if the distribution vendor chooses to utilize the problem commit.
The commit where the kernel bug was introduced is seen at https://github.com/torvalds/linux/commit/fde2a3882bd07876c14... and the commit that resolves the issue is seen at https://github.com/torvalds/linux/commit/4bb7ea946a370707315...
To avoid triggering a bug within the Linux kernel, the sensor is intentionally prevented from running in user mode for the specific distributions and kernel versions shown in the above section
These kernel versions are intentionally blocked to avoid triggering a bug within the Linux kernel. It is not a bug with the Falcon sensor. Sensors running in kernel mode are not affected.
No action required, the sensor will not load into user mode for affected kernel versions and will stay on kernel mode.
For Ubuntu 22.04 the following 6.5 kernels will load in user mode with Falcon Linux Sensor 7.13 and higher:
6.5.0-1015-aws and later 6.5.0-1016-azure and later 6.5.0-1015-gcp and later 6.5.0-25-generic and later 6.5.0-1016-oem and later
If for some reason the sensor needs to be switched back to kernel mode: Switch the Linux sensor backend to kernel mode sudo /opt/CrowdStrike/falconctl -s --backend=kernel