An AI service provider recently revealed a serious integer overflow vulnerability in the macOS XNU kernel. If a Mac runs continuously for 49 days, 17 hours, 2 minutes, and 47 seconds, the TCP/IP network protocol stack will completely stop accepting new connections, meaning the computer cannot open any new web pages or run applications that require internet access. Currently, all macOS models are affected, and the only temporary workaround is to restart the device.
How the Problem Was Discovered
The Photon team initially discovered the anomaly in a cluster of Mac devices used to monitor the iMessage service. Some machines would reject all new network connections without warning, but ping tests showed normal operation. Ping is a simple tool for testing network connectivity, and existing connections remained active, making troubleshooting extremely difficult.
Ultimately, maintenance personnel could only use device restarts as a stopgap measure, but after observation, they found that the problem would reappear after approximately 49.7 days of device operation.
Root Cause of 32-bit Integer Overflow
After in-depth investigation, the Photon team found the core root cause of the problem. The macOS kernel uses a timer called tcp_now to record the number of milliseconds since system startup. This timer stores its value as a 32-bit unsigned integer, which in the computer world is like a counter that can only display 10 digits, with a maximum limit of 4,294,967,295. When we convert this number of milliseconds to days, it corresponds to exactly 49 days, 17 hours, 2 minutes, and 47 seconds.
When the value reaches this limit, the logic of the function in the kernel responsible for calculating time malfunctions, causing tcp_now to freeze at its last value instead of resetting to zero or continuing to tick. Once the clock freezes, the system falls into logical chaos: network resources that should have been released after the call ended (TIME_WAIT state) never expire because the system thinks “time has stopped.”
Similar Incidents in History
This vulnerability is strikingly similar to the 49.7-day system freeze in Windows 95 and Windows 98 in 1999, both being 32-bit integer overflow issues. Microsoft had to release a patch to fix it back then. The situation is slightly different for macOS; the overflow only affects new TCP connections, while existing connections and ping remain functional.
Limited Impact on Ordinary Users, but Long-Running Devices Bear the brunt
For typical MacBook users, devices are regularly shut down or restarted, almost never triggering this vulnerability. However, an increasing number of enterprises and developers are using Mac minis for long-term automated tasks, requiring the devices to run continuously for months, thus continuously triggering the problem.
The Photon team is actively developing alternatives, but fundamentally resolving the issue still relies on Apple pushing out a kernel-level system update.
About The Author
