BSOD (IRQL_NOT_LESS_OR_EQUAL) caused by Enpass.exe via WFP callout in NETIO.SYS

Environment

• OS: Windows 11 (Kernel Version 26100, Build 10.0.26100.7920)

• Architecture: x64, 20 logical processors

• Enpass version: [insert your version]

• Crash date: April 20, 2026 — 15:32:59 UTC+2

Bug Description

Enpass.exe is causing a reproducible kernel-level crash (Blue Screen of Death) on Windows 11 with stop code DRIVER_IRQL_NOT_LESS_OR_EQUAL (bugcheck 0xD1).

The crash occurs inside NETIO.SYS at function StreamInvokeCalloutAndNormalizeAction+0x5c, triggered by a Windows Filtering Platform (WFP) callout registered by Enpass. The faulting process is explicitly identified as Enpass.exe in the minidump.

Minidump Analysis (WinDbg !analyze -v)

BUGCHECK_CODE: 0xD1 (DRIVER_IRQL_NOT_LESS_OR_EQUAL)
PROCESS_NAME: Enpass.exe
FAILURE_BUCKET_ID: AV_NETIO!StreamInvokeCalloutAndNormalizeAction
FAILURE_HASH: {c2ca2d1f-cfdc-88d5-c7bc-7693b8f0de04}

FAULTING_INSTRUCTION:
  NETIO!StreamInvokeCalloutAndNormalizeAction+5c
  fffff805`607c43a8 488b4808  mov rcx, qword ptr [rax+8]
  → Access Violation: reading address 0x0000000000000008 at IRQL 2 (DISPATCH_LEVEL)

STACK TRACE:
  nt!KeBugCheckEx
  nt!KiBugCheckDispatch+0x69
  nt!KiPageFault+0x468
  NETIO!StreamInvokeCalloutAndNormalizeAction+0x5c
  NETIO!StreamCalloutProcessingLoop+0x147
  NETIO!StreamProcessCallout+0x2f4
  NETIO!ProcessCallout+0x821
  NETIO!ArbitrateAndEnforce+0x5af
  NETIO!ArbitrateAndEnforceCallout+0x4d
  nt!KxSwitchKernelStackCallout+0x2e
  nt!KiSwitchKernelStackContinue

Root Cause Analysis

Enpass registers a WFP stream callout (via FwpsCalloutRegister) to inspect network traffic — likely for phishing protection or connection monitoring. The callout is passing an invalid or already-freed NET_BUFFER_LIST pointer to NETIO!StreamInvokeCalloutAndNormalizeAction. When the function attempts to dereference offset +0x8 of the returned pointer (rax+8), it reads from address 0x0000000000000008 — a near-null pointer, indicating a use-after-free or NULL dereference in the callout handler.

This is a kernel-mode bug: WFP callouts operate at DISPATCH_LEVEL (IRQL 2) and must not access pageable or invalid memory. The crash is 100% reproducible and consistently attributed to Enpass.exe across multiple minidumps.

Impact

• Severity: Critical — system crash (BSOD), data loss risk

• Frequency: Recurring (multiple crashes observed)

• Workaround: Uninstalling Enpass eliminates the crash entirely

Steps to Reproduce

The crash appears to trigger during active network usage while Enpass is running in the background. No specific user action in Enpass is required — simply having it running as a startup process is sufficient.

Suggested Fix

Review the WFP stream callout implementation (FwpsCalloutRegister / FwpsStreamInjectAsync). Ensure that:

1. NET_BUFFER_LIST references are validated before dereferencing at DISPATCH_LEVEL

2. Callout handlers properly handle NULL or freed buffer pointers

3. The callout is unregistered safely on process exit with FwpsCalloutUnregisterById

Reference: Microsoft WFP Stream Callout documentation

042026-19312-01.dmp