This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 44%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPG%3C/text%3E%3C/svg%3E)
My Alienware 18 (model AA18250) on Windows 11 25H2 has been blue-screening repeatedly for about five weeks, and I would like it escalated since the latest cumulative update did not fix it.
Failure signature (consistent across 15+ dumps since early May):
Analysis already done:
Why I am posting: KB5094135 (build 26100.8655, installed 6/13/2026) did not resolve it. It has recurred on this build with the identical signature on 6/14, 6/15, and 6/16.
Request: escalation to the kernel / pool-allocator team referencing failure hash 6f13343d-8edf-14f9-0269-6df067c74f57, confirmation of whether a fix is planned and in which build, and any supported interim mitigation. I can provide minidumps and the ETW capture on request.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 47%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
This new information changes the picture.
I played Warframe for about an hour and the computer was fine. Then I left it alone, went for a nap, and the only thing happening was downloading games. When I came back, the computer had restarted.
That’s actually a very important observation.
Why?
If this were a GPU stability issue, I’d expect crashes:
Instead:
✅ Gaming for an hour = stable ❌ Crash while essentially idle/downloading
That shifts suspicion away from the RTX GPU and toward:
I checked the latest dump
What’s interesting is that I did not find the same obvious NPU strings that were present in some of the earlier dumps.
Instead, I found references to:
This doesn’t prove those drivers caused the crash, but it suggests we’re looking at a broader Intel platform stack issue rather than purely an NPU issue.
Activity Result
Gaming (Warframe) Stable
Idle / downloading Crash
Multiple BSODs Yes
Mostly 0x3B access violations Yes
WHEA hardware errors No evidence
Intel platform drivers repeatedly present Yes
System: Alienware 16X Aurora AC16251
CPU: Intel Core Ultra 9 275HX
BIOS: Alienware 2.4.0 (05/11/2026)
OS: Windows 11 build 26200.8655
Memory: 32 GB DDR5-5600 (2x16 GB SK Hynix HMCG78AGBSA095N)
Observed Behavior:
The system experiences recurring BSODs while idle or performing background activity (such as downloading games). The system is stable during extended gaming sessions (e.g., Warframe for over one hour).
Collected crash data shows multiple bugcheck types:
The common exception in all observed crashes is:
Reliability Monitor confirms repeated bugchecks and system restarts.
Notable observations:
Troubleshooting performed:
CPU: Intel Core Ultra 9 275HX
BIOS: Alienware 2.4.0 (05/11/2026)
OS: Windows 11 build 26200.8655
Memory: 32 GB DDR5-5600 (2x16 GB SK Hynix HMCG78AGBSA095N)
Observed Behavior:
The system experiences recurring BSODs while idle or performing background activity (such as downloading games). The system is stable during extended gaming sessions (e.g., Warframe for over one hour).
Collected crash data shows multiple bugcheck types:
The common exception in all observed crashes is:
Reliability Monitor confirms repeated bugchecks and system restarts.
Notable observations:
Troubleshooting performed:
Hypothesis:
The issue may involve memory corruption or invalid memory access occurring in a kernel-mode driver path associated with Modern Standby / S0 idle operation, Intel platform power-management components (IntelPMT, intelpep, IPF, NPU), or interactions with Dell platform software.
Request:
Please review the attached crash dumps for a common memory-corruption source, especially around:
The consistent 0xC0000005 exception across multiple bugcheck types suggests a common underlying corruption source rather than independent failures.
I will upload all dump files later.
Can we please get this elevated to Kernel team and pool allocator support?
Posting my minidumps in zip file here as well.
https://1drv.ms/u/c/e460de3646470951/IQCrYOC76bT5S7-Yo2d2khsMAeHQQZ6LU-lHqB0f36CivT4?e=FQkApc
Disabling intel NPU gave me all morning without a restart, but when I got home I had another 0x1E failure. Same issues as Pat.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 77%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELB%3C/text%3E%3C/svg%3E)
Hi, thank you for replying. Upon checking the ntkrnlmp.exe error, it is only displaying a general error on the PC and still pointing to tcpip.sys, moreover, have you done the steps above and still have an issue?
If yes, can you please check the System logs on the PC so I can further examine the root cause of the issue?
To share the System logs, please follow the steps in the link below:
Press the Windows key + X, then select "Event Viewer"
Click the drop-down of "Windows logs"
Right-click System > click Filter Current logs > Check: Critical, Warning, and Error > Hit OK
On the right pane, click "Save Filtered Log File As..."
Save the System logs file to your desktop and share it by following the steps from the link:
Note: You can also use your preferred cloud storage to upload and share the logs.
Posting a full root-cause analysis in case it helps triage, and to ask whether this can be escalated to the kernel / pool-allocator team. Offsets from ntkrnlmp.exe 10.0.26100.8457; still reproduces on 26100.8655 after KB5094135 (installed 2026-06-13). Failure hash 6f13343d-8edf-14f9-0269-6df067c74f57, faulting IP nt!ExpPoolTrackerChargeEntry+0x40 (P2 low bits ...96570, invariant across ASLR bases).
Summary: use-after-free in the pool tag tracker. nt!ExAllocateHeapPool has a lock-free fast path that locates a _POOL_TRACKER_TABLE entry from a cached PoolTrackTable base and mask, then calls nt!ExpPoolTrackerChargeEntry to atomically update its accounting fields. The tracker table is dynamically expandable: nt!ExpInsertPoolTrackerExpansion publishes the new base/size under ExpTaggedPoolLock, releases the lock, and then frees the old table with nothing waiting for in-flight lock-free readers to drain. A fast-path charge that snapshotted the old base before an expansion computes an entry pointer into the freed/recycled old table and executes lock xadd against it. If that page has been reused, it bugchecks.
The fault (052826-17906-01.dmp, .cxr at the exception context):
nt!ExpPoolTrackerChargeEntry+0x40:
fffff805`bf996570 f04b0fc12c06 lock xadd qword ptr [r14+r8],rbp ds:002b:ffffa381`b4ba31e8=fffffffffdff47d0
rbp=0000000000000540 r8=ffffa381b4ba31e0 r13=0000000020707249 ("Irp ") r14=0000000000000008
r8 is a _POOL_TRACKER_TABLE entry pointer; r14=8 selects NonPagedBytes; rbp=0x540 is the allocation size being added. [r8+8] holds fffffffffdff47d0, not a plausible byte total. Bugcheck SYSTEM_SERVICE_EXCEPTION (3B), exception c0000005. Call chain is a routine IRP allocation: ExpPoolTrackerChargeEntry <- ExAllocateHeapPool <- ExpAllocatePoolWithTagFromNode <- ExAllocatePool2 <- IopAllocateIrpPrivate (tag "Irp ") <- a NtQueryInformationProcess / file-name query.
Cross-dump fingerprint (the use-after-free tell). Same instruction and hash; r8 is invalid a different way each crash, which is what freed-and-reused memory looks like:
| Dump | Process | Stop | r8 | what is at r8 now |
|---|---|---|---|---|
| 052826-17906-01 | logioptionsplus | 0x3B | ffffa381b4ba31e0 |
freed/reused, [r8+8]=fffffffffdff47d0 |
| 052026-15875-01 | Dropbox | 0x1E | 0072007400730069 |
not a pointer; r8/r9/r10 = UTF-16 "istr","y\ma","chin", a ...Registry\Machine... path string in that page |
| 052726-15765-01 | svchost | 0x23 | ffff80805d5b6330 |
freed/reused, [r8+8]=ffffffffffff9e20 |
| 052826-18250-01 | powershell | 0x135 | via CmpCallbackFatalFilter |
same root function |
Four processes, four stop codes, one root function. The stop code is just whichever exception handler catches the fault on the way up. The Dropbox dump is decisive: the tracker-entry pointer points into a page that has been recycled into a registry path string.
Where the bad pointer is produced (nt!ExAllocateHeapPool). The slow path reads the table base fresh under ExpTaggedPoolLock; the fast path uses a cached snapshot and takes no lock:
mov rdx, qword ptr [rsp+38h] ; cached PoolTrackTable base, NO lock
and eax, r12d ; index &= cached PoolTrackTableMask, NO lock
lea rbx, [rax+rax*4] ; rbx = index*5
shl rbx, 4 ; rbx = index*0x50 (sizeof _POOL_TRACKER_TABLE)
add rbx, rdx ; entry = base + index*0x50
mov r8, rbx
call nt!ExpPoolTrackerChargeEntry
Where the old table is freed (nt!ExpInsertPoolTrackerExpansion):
call nt!ExAllocateHeapPages ; new larger table -> rdi
... memcpy(old -> new) ; memset(tail) ...
mov [nt!PoolTrackTableExpansion], rdi ; +bfcde445 publish new base, lock held
mov [nt!PoolTrackTableExpansionSize], r12 ; +bfcde452 publish new size, lock held
call nt!KeReleaseInStackQueuedSpinLock ; +bfcde46b release lock
call nt!ExPoolCleanupExpansionTable(old, oldSize) ; +bfcde47b FREE old table, AFTER unlock
The publish is correctly serialized under ExpTaggedPoolLock. The defect is that reclamation happens after the lock is released, unprotected against in-flight lock-free readers.
The race. CPU A (charge) snapshots base+mask with no lock. CPU B grows the table, publishes the new base/mask under the lock, releases, then frees the old table. CPU A computes old_base + index*0x50 and executes lock xadd/lock inc into the freed table.
Why heavy load is required. A continuous ETW kernel trace shows every crash preceded by a ~3 second burst of ~700,000 kernel events/sec (normal heavy load is 10k-50k/sec), ~42% registry and ~42% file, from a process-creation storm across 24 logical CPUs. That forces tracker-table growth while charges are in flight, and explains the very low public report rate.
Fix direction. The publish is already serialized; the problem is freeing the retired table immediately after unlock. Most localized fix: defer the free until lock-free readers drain (epoch/generation or an RCU-style barrier) instead of calling ExPoolCleanupExpansionTable right after release. Alternatives: bump a generation counter under the lock on each publish and recheck it on the charge path before the atomic write; or carry the index and recompute the entry from the current base at charge time.
This is not a single bad unit. Multiple independent users now report the identical hash and faulting offset on the Intel Arrow Lake-HX platform (Core Ultra 9 275HX), across different OEMs and GPUs: Alienware 18, Alienware 16x, and Acer Predator. WER bucket telemetry alone may not surface something this rare; correlated multi-user reports with the same hash through a kernel engineer would. Full kernel dumps, 14 deduplicated minidumps (all same hash), and the ETW captures are available on request.
Caveat: this is reverse-engineered from optimized release ntoskrnl.exe with public symbols and post-mortem dumps. The fault context, the two-path disassembly, the divergent-r8 fingerprint, and the burst correlation are direct evidence; the exact free/publish ordering in the expansion routine is the one inference the team can confirm internally.
Hi, thank you for patiently waiting. As per checking and analyzing the DMP files you have, there is an error tcpip.sys, this is actually a Windows Driver Framework that is associated with the drivers, which allows communication between hardware and connected devices. The issue happens when there is new hardware that is not calibrated to what the software is used to, and it is pointing out on the Network interface card. In this case, kindly follow the steps below:
Method 1. Roll back the network driver:
-Press the Windows key + X
-Go to Device Manager
-Expand the Network Adapters
-Look for the Wireless driver that was installed
-Right-click and click Update Driver
-Select Browse my computer for drivers
-Click Let me pick from a list of available drivers on my computer
-Choose an old driver or another driver name, then select it and hit next until it installs.
-Restart the PC and check.
If the issue persists, run the following command in Terminal (Admin). Follow the steps below to do so.
These sets of commands will reset the internet connection and recalibrate the internet settings you have.
Press Windows Key + X.
Click on the Terminal (Admin) or Windows PowerShell (admin)
Type the following commands, and hit Enter after each command:
netsh int tcp set heuristics disabled
netsh int tcp set global autotuninglevel=disabled
netsh int tcp set global rss=enabled
netsh winsock reset
netsh int ip reset
ipconfig /release
ipconfig /renew
ipconfig /flushdns
Restart the PC and check.
If the same issue follows the methods below:
Do a clean boot:
A “clean boot” starts Windows with a minimal set of drivers and startup programs so that you can determine whether a background program is interfering with your game or program.
Troubleshooting reference:
Note: If the issue persists, I suggest contacting a local technician to physically check the device for any hardware-related issues.
Followed steps and same issue appears. No hardware issues here.
Bryan, this looks like the same bug I have on the 18, and it is almost certainly not your hardware.
Check Event Viewer (Windows Logs > System) for the bugcheck. If it is 0x1E, 0x3B, or 0x135 faulting in nt!ExpPoolTrackerChargeEntry with WER hash 6f13343d-8edf-14f9-0269-6df067c74f57, it is identical, just on the 16x.
The reason you cannot grab minidumps is the bug itself. The fault is in the kernel pool allocator, which the dump writer also needs, so the dump usually never finishes. Switching to small minidumps helps a little. An ETW kernel autologger that writes to disk before the crash is the only thing that captured it reliably for me.
What settled it for me being the kernel and not the hardware: a Linux live USB on the same machine ran a 30 minute full CPU and memory stress with zero crashes, zero machine-check errors, zero PCIe errors. The fault does not follow the hardware into Linux. Worth running before you bother with an RMA.
If you post your stop code and that hash, it adds another confirmed report on the same Intel platform, which is what this needs to reach the kernel team.
I am on Alienware 16X Aurora (AC16251) on same windows version as Pat. I have also had bug checks of 0x1E, 0x3B, and 0x135 with the same hash 6f13343d-8edf-14f9-0269-6df067c74f57 as Pat. It is identical, just on the 16x. The only minidumps I was able to pull were for the 0x1E.
Pat, I seem to have stumbled on something. I disabled my Intel NPU in device manager and my system was stable before I went to work. I downloaded the driver for it off of the dell website and installed it twice. I will check when I get home tonight and update you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 74%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
I have this issue on Legion Pro 7i 16 (Intel Core Ultra 9 275HX). For me, it started after KB5094126.
Stop codes are:
0x3b (hash 6f13343d-8edf-14f9-0269-6df067c74f57)0x1e (hash 2721b703-e5f1-75e8-ea6e-0d53155948c5)It mostly crashes when I play Armar Reforger. It could crash 1 hour into a game session, but after a reboot, I may continue playing for hours without issue.
I really hope to find a solution for this here.
Hi, I'm Bernard. I'm happy to help!
Can you please upload and share the Minidump files on your PC so I can further examine the root cause of the issue?
Press Windows key + E (To open File Explorer)
Click "This PC" > then follow the file path:
C:\Windows\Minidump
Copy the Minidump files and save them to another location, like the Desktop or Documents.
Then please upload it to Cloud storage like OneDrive or any cloud storage you are using, and please share the shareable link here.
To upload and share the link using OneDrive:
Go to this link: https://onedrive.live.com/, then upload the file.
Then, provide the shareable link by following the steps from this link: https://support.microsoft.com/en-us/office/share-onedrive-files-and-folders-9fcc2f7d-de0c-4cec-93b0-a82024800c07
Note: This is a public forum. I may respond shortly, but I apologize in advance for any delays. I am simply a fellow user trying to provide helpful insights and information.
Thanks for taking a look, Bernard.
The minidumps are zipped here: [minidumps]. There is a README.txt inside with the failure hash, the faulting symbol and instruction, a per-dump table of which process triggered each crash, and everything already ruled out, so the pattern is quick to see without grinding through every file.
Here is the summary from the analysis already done. Every dump faults in nt!ExpPoolTrackerChargeEntry with the same WER hash 6f13343d-8edf-14f9-0269-6df067c74f57, showing up as 0x1E, 0x3B, or 0x135 depending on which subsystem trips first. The triggering process is different on every crash (explorer, svchost, registry, claude, chrome, and others), which points at the shared kernel pool allocator rather than any single driver. The faulting instruction is lock xadd qword ptr [r14+r8], rbp, and r8 holds different invalid values each time, so it reads as a software race on the pool-tag tracker table, not a hardware bit-flip.
Hardware is clean (Windows Memory Diagnostic, Dell ePSA, and NVMe SMART all pass), Driver Verifier on every non-Microsoft driver caught nothing, and it still crashes with the identical hash after KB5094135 and with Defender real-time protection plus third-party startup software disabled.
What I am really after is whether this can get in front of the kernel or pool-allocator team referencing that hash, or whether anyone else is seeing the same signature. Full kernel dumps and an ETW capture of the pre-crash event burst are available if they help.
Thanks Bernard, I appreciate you taking the time to go through the dumps.
You are right that one of them points at tcpip.sys. That is the 6/13 dump (RuneLite.exe), where the bucket comes back as AV_tcpip!IppCreateSortedAddressPairs. What I want to compare notes on is the call stack underneath it, because the instruction it actually faults on is the same one that shows up as the direct culprit in most of the other dumps.
Here is the stack from that exact dump, oldest call at the bottom:
nt!NtDeviceIoControlFile
afd!AfdDispatchDeviceControl
tcpip!UdpSetSockOptEndpoint
tcpip!IppCreateSortedAddressPairs+0x434
nt!ExAllocatePool2
nt!ExpAllocatePoolWithTagFromNode
nt!ExAllocateHeapPool
nt!ExpPoolTrackerChargeEntry+0x40 <- exception here (c0000005)
The exception lands on nt!ExpPoolTrackerChargeEntry+0x40. tcpip sits three frames above it as the caller that asked for the memory, not the code that faulted. RuneLite made a normal socket call, tcpip did a normal pool allocation, and the kernel pool tracker faulted in the middle of it.
The reason I have been cautious about the network-card angle is that the caller keeps changing across the set while the fault site does not. In other dumps the caller is bindflt during a directory enumeration, the registry path under CmOpenKey, or svchost at idle, and the exception still lands on that same nt!ExpPoolTrackerChargeEntry+0x40 with the same access violation. Checking the literal fault address, it is the identical offset in every case. The only thing that moved it is KB5094135 on 6/13 shifting nt's base, so the absolute address changed while the function and offset stayed the same.
I did already try the wireless driver and network-stack angle earlier in this, including the netsh reset block, plus a clean-boot-equivalent state (Defender real-time off, third-party startup disabled), and the identical bugcheck still hits. A fault inside the kernel pool tracker does not seem to care which driver requested the allocation.
So my question is whether there is any path to get this signature in front of someone on the kernel or pool-allocator side. The consistent piece to reference is the exception at nt!ExpPoolTrackerChargeEntry+0x40 reached through ExAllocatePool2, firing under many different callers and processes. I have full kernel dumps and an ETW kernel trace available if that would help anyone dig deeper.
Thanks again for staying on this. It is the most concrete look anyone has given it.
I am having this very similar issue on my new Alienware 16x. I can’t even get my laptop to stay alive long enough to get the minidumps open or sent from my computer