[Security] 9.0.6 release notes (#2649)

natasha-moore-elastic · nastasha-solomon · gabriellandau · web-flow · commit 9d5dfb2b9765 · 2025-08-28T10:17:51.000Z
Resolves #2608: adds the 9.0.6 Security and Endpoint release notes. Preview: [Elastic Security > 9.0.6](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/2649/release-notes/elastic-security#elastic-security-9.0.6-release-notes) --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com>
diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
@@ -150,6 +150,20 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Fixes a bug in {{elastic-defend}} where Linux network events would have source and destination byte counts swapped.
 * Fixes an issue where {{elastic-defend}} may incorrectly set the artifact channel in policy responses, and adds `manifest_type` to policy responses.
 
+## 9.0.6 [elastic-security-9.0.6-release-notes]
+
+### Features and enhancements [elastic-security-9.0.6-features-enhancements]
+* Improves the reliability of {{elastic-defend}}'s connection to its kernel driver. This should reduce the instances of temporary `DEGRADED` policy statuses at boot due to `connect_kernel` failures.
+* Improves {{elastic-defend}} malware scan queue efficiency by not blocking scan requests when an oplock for the file being scanned cannot be acquired.
+* To help identify which parts of `elastic-endpoint.exe` are using a significant amount of CPU, {{elastic-defend}} on Windows can now include CPU profiling data in diagnostics. To request CPU profiling data using the command line, refer to [{{agent}} command reference](/reference/fleet/agent-command-reference.md#_options). To request CPU profiling data using {{kib}}, check the **Collect additional CPU metrics** box when requesting {{agent}} diagnostics.
+* Enriches {{elastic-defend}} macOS network connect events with `network.direction`. Possible values are `ingress` and `egress`.
+
+### Fixes [elastic-security-9.0.6-fixes]
+* Prevents the {{esql}} form from locking in read-only mode in the rule upgrade flyout [#231699]({{kib-pull}}231699).
+* Fixes a bug in {{elastic-defend}} where the `fqdn` feature flag was not being persisted across system/endpoint restarts.
+* Fix a race condition in {{elastic-defend}} that occasionally resulted in corrupted process command lines on Windows. This could cause incorrect values for `process.command_line`, `process.args_count` and `process.args`, leading to false positives.
+* Fixes a bug in {{elastic-defend}} where Linux endpoints would report `process.executable` as a relative, instead of absolute, path.
+
 ## 9.0.5 [elastic-security-9.0.5-release-notes]
 
 ### Features and enhancements [elastic-security-9.0.5-features-enhancements]
