macOS has a 49.7-day networking time bomb built in that only a reboot fixes — comparison operation on unreliable time value stops machines dead in their tracks
After 50 days, you're using it wrong.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
You are now subscribed
Your newsletter sign-up was successful
Speaking from personal experience, using a Mac as a server or server-like contraption is quite an interesting proposition, as despite its Unix roots, the operating system isn't exactly designed for unattended, 24/7 usage and is difficult to set up and use as such — fighting words, but I stand by them. While most every user will reboot their Mac at least once in the space of a few weeks, if you happen to leave one running for precisely 49 days, 17 hours, 2 minutes, and 47 seconds, many parts will suddenly stop working as its TCP/IP networking stack dies.
Those are the findings of the folks at Photon, who did some serious sleuthing after encountering a mysterious issue in a fleet of Macs they use to monitor iMessage services. The problem revealed itself when some machines just up and stopped responding to network connections out of the blue, even though they answered ping requests with an "all good here, boss!"
Said machines kept their existing network connections going, making the situation even harder to diagnose, as the failure was unexplainable and otherwise invisible. Not left with much of an option, Photon's boffins had to reboot the machines to clear the issue, something any systems administrator hates as a "solution" to a mystery issue. After all, if it happened once, it'll happen again, and assuredly at the worst possible time.
Article continues belowAfter the team spotted another set of machines that was reaching the 49.7-day uptime, they set up some scripts to test their theory. Alas, they found that when the fateful moment arrived, the Mac they had continuously creating new connections just stopped doing so without so much as an error.
The team then turned its attention to the root cause, as it was clearly related to a networking-related timer. They found the culprit to be the "tcp_now" internal counter, a figure that was "destined to overflow." The job tcp_now does is to keep track of the current time since boot as far as the TCP stack is concerned, down to the millisecond. tcp_now is represented as a 32-bit unsigned integer, and those have a maximum value of 4,294,967,295 (2^32 - 1) before they wrap around to zero. Since it tracks milliseconds, tcp_now's maximum is 4,294,967 seconds, or 49.7 days.
As defined by standards, operating systems collect and remove closed TCP connections after a short while; 30 seconds in the case of macOS. The result of attempting to clean up these inactive connections when tcp_now is close to or at its limit (and gets stuck there thanks to a bug in Apple's XNU kernel) is that any connection's expiration status is calculated against that frozen number, resulting in a value that always overflows a 32-bit unsigned integer. When the periodic check comes to see whether a closed connection is meant to be deleted, the result is always "no," because the comparison math doesn't work.
The TCP stack then fills up with errantly held ephemeral ports and effectively grinds to a halt when no more are available. How quickly that happens depends on the amount of network activity, but in any server or professional environment that's bound to be a rapid event. This class of problems is hardly known, integer overflows have been the cause of Windows 98's famous 49.7-day crash and the upcoming Year 2038 problem.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
According to Photon, the current mitigation is a reboot, although the team says it's working on an alternative solution. They also found this issue to be the source of some bugs discussed online in the Apple Community forums, too. The long-existing RFC 7323 specifies what should happen to the timestamp clock (tcp_now) when it reaches its limit, but Apple's kernel performs an incorrect implementation. It's safe to say this issue will likely be fixed quickly—and hopefully before 49.7 days after the report.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
Bruno Ferreira is a contributing writer for Tom's Hardware. He has decades of experience with PC hardware and assorted sundries, alongside a career as a developer. He's obsessed with detail and has a tendency to ramble on the topics he loves. When not doing that, he's usually playing games, or at live music shows and festivals.
-
JamesJones44 I'm not so sure I agree with their analysis, at least not 100%. I have a 2018 Mac Mini running as a reverse proxy for a VPN that never gets rebooted. In fact the last time it was rebooted was December 15th when I upgraded it to macOS 26. It has been running and serving the reverse proxy for 113 days. Perhaps this only affects a subset of macOS hardware, but Photon is claiming any Mac which my 2018 Mac Mini seems to disprove.Reply -
CelicaGT I never reboot my Macs, excepting for updates. What is the author doing to require a reboot every few weeks? This isn't Windows '98...Reply -
Rhongomiant I have definitely seen issues like like what is described here, but unfortunately they are not limited to this 49 day issue. I haven’t tracked uptime days when these issues have occurred, but currently I have an issue where the screen share session from a MBP 16” M3 to a MBA 15” M4 drops and reconnects at ~10 minutes of use or less. This started yesterday. The day before and every day before that was fine. The MBP has been up for 16.7 days and the MBA has been up for 7.5 days.Reply
I operate hundreds of Linux servers since 2008 and have had to reboot servers less than I have had to reboot my Macs for issues like this. I haven’t used Windows on the regular since 2015 and never experienced this issue and haven’t heard of people that use it having like issues then or now. I didn’t have these issues until I got an M series Mac. My MBP 2019 didn’t have it when I used it regularly, so it must be something or things that have been added or updated in more recent versions of macOS and maybe with specific hardware at either the hardware or code level, Intel code vs Arm code.
Update: 2026-04-10
When I was writing this, I couldn’t recall some specifics I wanted to share. I most often see issues with Safari either refusing to load specific sites out of the blue or refusing to load anything. Often even closing Safari and opening it again isn’t enough. I have to reboot the Mac to fix the issue. Other apps work fine when this is happening. -
PEnns From the article, it seems this issue is confined to Photon and its "fleet of Macs'" (somebody correct me if I am wrong).Reply
My take on this: ANY disgruntled 3rd rate coder / administrator can write a Date() based routine that will cause issues say, starting every 49 days after they have been let go....
If my theory = True, they're lucky their data doesn't get erased after an X amount of days and repeats till the real reason is found! -
palladin9479 ReplyCelicaGT said:I never reboot my Macs, excepting for updates. What is the author doing to require a reboot every few weeks? This isn't Windows '98...
It's in the toms article but goes deeper when you read the linked Photon article
https://photon.codes/blog/we-found-a-ticking-time-bomb-in-macos-tcp-networking
"The bug we found in macOS belongs to this exact family. The XNU kernel stores its TCP timestamp as a uint32_t counting milliseconds since boot. 2³² milliseconds = 49 days, 17 hours, 2 minutes, and 47.296 seconds. After that, the counter wraps back to zero. What happens next is the subject of this post."
They wrote some test code and observed and yes the MacOS kernel, at the articles time of writing, had a bug with the networking stack that can cause the TCP stack connection cleanup to break when the TCP timestamp value roles over the 32-bit counter.
This is the decisive evidence. macOS TIME_WAIT timeout is 2 \00d7 MSL = 30 seconds. 84 seconds after the script stopped, all 2,828 TIME_WAIT connections should have expired to zero. Instead, not a single one was reclaimed — the count actually increased slightly as the system's own normal connections also began piling up.
You can only have so many TCP connections open at once so once cleanup stops working it's merely a matter of time until you hit that limit and no more new TCP connections can be made. They even go into exactly where in the kernel code the bug is at. -
JamesJones44 Reply
I feel like it has to be, there are several Mac hosting services out there (Mac Stadium for example), I find it hard to believe no other service has seen this.PEnns said:From the article, it seems this issue is confined to Photon and its "fleet of Macs'" (somebody correct me if I am wrong).
Reading the source article, it sounds like it has more to due with the number of connections + time vs just a raw 49.7 days. A low number of connections sounds like it wouldn't be an issue for a very long time, but rapid connections causes the issue. I could be wrong, but that is how I've read it. I'm still have my suspicions of the analysis as a whole (no doubt they found something, but is it really the problem or is it they way they are interacting with the system), seems like we would have heard of this before now, but at least the added number of connections variable makes it more plausible -
palladin9479 ReplyJamesJones44 said:I feel like it has to be, there are several Mac hosting services out there (Mac Stadium for example), I find it hard to believe no other service has seen this.
Reading the source article, it sounds like it has more to due with the number of connections + time vs just a raw 49.7 days. A low number of connections sounds like it wouldn't be an issue for a very long time, but rapid connections causes the issue. I could be wrong, but that is how I've read it. I'm still have my suspicions of the analysis as a whole (no doubt they found something, but is it really the problem or is it they way they are interacting with the system), seems like we would have heard of this before now, but at least the added number of connections variable makes it more plausible
The original article lists where in the kernel code they found the bug, it absolutely exists. When your Mac starts up it records the number of milliseconds in a 32-bit integer in the kernel. 32-bit integers have a maximum value of 4,294,967,296, so this variable can go up to 4,294,967,296 milliseconds. When it hits that number it will then roll over back to 0 and start counting up again. The bug is in the TCP connection garbage collection code of the network stack, this is where old TCP connections are closed out after a period of time. This code doesn't know how to handle that 32-bit integer rolling over and will stop working once this occurs. Once your TCP connection garbage collection stops working you will start getting zombie connections, each connection consuming a TCP socket, of which there are only 65,536 of. As connections are opened over time they will continue consuming those sockets until you hit 65,536 open sockets, when that happens your network stack will no longer be able to open new TCP connections resulting in a complete shutdown of TCP network capability. Networking will not work correctly until you restart the kernel to clear those values and restart the TCP network stack.
If you are doing security updates every 30~60 days, then that reboot cycle is naturally doing this for you, especially as Mac's are not used as web servers that handle tens of thousands of TCP connections at once like you see with Apache / Nginx on linux. Photon did try to use Mac's to do this sort of task (why IDK) and tripped over this use case. -
abufrejoval I immediately went to this 1000Hz ticks overflowing a 32 bit integer after reading the headline: this has been an issue with just about any Unixoid since they went to 64-bit and increased the clock tick from 100 to 1000 in the process.Reply
I faced that in a production payment system which lost Oracle database access after some time. Nothing wrong with the database, nothing wrong with any of the systems, all diagnostics came back with perfect health, yet the application had lost the database and nobody could pay with their cards.
Doing the thing you do when you don't know any better we restarted the application, or rather the application's OpenVZ container and things just went back to normal immediately.... until the same thing happened.
I was eventually able to create and analyze a crash dump of the failing application, just before it got restarted and on its stack trace I noticed that it was failing within an Oracle client library and had gotten an error on a system call to some variant of time or utime, that evidently wasn't expected and then also not handled correctly.
That syscall returned the ticks since boot and noted that ticks were measured in 100 Hz traditionally on Unix since the PDP-11; but might be 1000 Hz on Gigahertz 64-bit systems, which tended to require much higher precision, because they did so much more work, while returning a 64 bit value offered a lot more headroom.
A mental groan started forming in my head as I popped up my Excel and sure enough 32-bit would overflow at close to 50 days at 1000 Hz ticks, which matched the data from the crash dump and the error code returned (but not properly handled).
Just in case you're worried, there are quite a few new and far more precise time management libraries and tools on Unix these days...
So anyhow, I proudly opened a bug report on Oracle, and Oracle disappointingly quickly replied that it had been fixed a few months ago and that it was time I patched our systems...
Of course this must have been at least 20 years ago, but I felt pretty good having found a bug in Oracle software, without access to source code. And at the time my job as an operations team manager didn't even require any programming skills. I just happened to have a CS master degree and had done years of OS kernel and library work as part of my thesis in HPC and thus felt I should at least try, before just putting a "reboot every month" into the SOPs.
Of course then came PCI-DSS and not rebooting at least once a month (after installing patches), became a security framework violation... I wonder how many more of these bugs have thus never been caught!
The reason we got into that situation in the first place was like everyone else at the time, we were consolidating workloads from hundreds of small 32-bit Linux servers to far fewer 64-bit Linux servers via virtualization. Except we weren't using virtual machines, which would have avoided that issue (via a 100Hz tick kernel), but used IaaS abstraction (pre Docker) OpenVZ container, which run 32 and 64 userlands on a 64-bit kernel. And we got 70:1 consolidation with only a RAM upgrade on pre-existing machines, while VMs typically only managed 4:1 on existing hardware, if and only if that had VM hardware support built in.
Of course the issue wasn't OpenVZ, any 32-bit workload on a 64-bit kernel would have had the same issue.
Since I had been doing that conversion as a skunkworks project without management approavel (no budget, no ask), the pressure (and motivation) was on the high side. -
Pierce2623 Reply
I’m guessing it’s Apple Silicon Macs.JamesJones44 said:I'm not so sure I agree with their analysis, at least not 100%. I have a 2018 Mac Mini running as a reverse proxy for a VPN that never gets rebooted. In fact the last time it was rebooted was December 15th when I upgraded it to macOS 26. It has been running and serving the reverse proxy for 113 days. Perhaps this only affects a subset of macOS hardware, but Photon is claiming any Mac which my 2018 Mac Mini seems to disprove. -
CelicaGT Reply
My M3 Air is at just over 60 days up time and no issues observed, 2020 Intel i5 Air is at 180 days (checked both in Terminal) and no issues on it either. Reading an above explanation in response to my earlier and rather glib post makes sense though I'm still not convinced this is present in all use cases? My machines sit mainly idle, one is a DD for me and the other is used by the family for general use computing. FWIW I am by no means any kind of networking expert. I can do many things on my own as a computer enthusiast but networking is just not one of them (well not without some coaching). So basically I'm not disputing the article or the researchers, it's just that my machines seem fine so it's likely I'm missing some piece of the pie here. It's fine, it's an interesting read and that's why I continue to come to Tom's. And now I'll be watching these things like a hawk lol...Pierce2623 said:I’m guessing it’s Apple Silicon Macs.