The 49.7-Day Time Bomb Hidden in Every Mac’s Network Stack

The 49.7-Day Time Bomb Hidden in Every Mac’s Network Stack

A 32-bit integer overflow deep in Apple’s XNU kernel silently kills TCP networking on any Mac left running for just over seven weeks — and a reboot is the only known fix.

Every Mac ever sold contains a silent expiration date buried inside its networking code. After exactly 49 days, 17 hours, 2 minutes, and 47 seconds of uninterrupted operation, a fundamental flaw in Apple’s implementation of the TCP/IP networking stack causes the system to stop accepting or initiating new network connections entirely — with almost no warning and no logged error. The machine keeps running, ping responses look perfectly normal, and existing connections stay alive. But nothing new can connect. The only remedy is a full reboot.

The vulnerability was publicly detailed this week by engineers at Photon, a company that operates a fleet of Macs to monitor iMessage messaging services around the clock. Their account of the discovery — months of mysterious failures, painstaking investigation, and a final breakthrough involving a decades-old standard Apple never properly implemented — reads like a detective story with implications for anyone running a Mac as a server, home automation hub, or any other always-on device.

How the Mystery Unfolded

Photon’s fleet of Mac minis runs continuously, processing thousands of network transactions per hour. One by one, certain machines began exhibiting the same baffling behavior: new connections were refused, yet the machines appeared entirely healthy by conventional diagnostic measures. A ping would return a clean response. Established sessions remained active. Standard system logs showed nothing unusual.

Systems administrators were left with the unsatisfying solution of rebooting affected machines — aware that the problem would inevitably return, but with no understanding of when or why. It was only when the team noticed that affected machines shared a similar uptime — all clustered around the same duration of continuous operation — that the investigation gained traction.

Engineers set up monitoring scripts on another machine approaching the same uptime threshold. When the moment arrived, the machine stopped creating new connections without so much as an error message — precisely confirming their hypothesis. The team then dug deep into the XNU kernel source code to find the root cause.

The Technical Root Cause

At the heart of every macOS system’s TCP networking stack is a variable called tcp_now. Its job is simple: it tracks the number of milliseconds that have elapsed since the last system boot, providing the TCP stack with a consistent internal clock. The problem is that tcp_now is declared as a 32-bit unsigned integer — a data type that can only hold values from 0 to 4,294,967,295.

Once the system has been running for exactly 4,294,967,295 milliseconds — translating to 49 days, 17 hours, 2 minutes, and 47.296 seconds — the counter reaches its maximum value. On the very next millisecond tick, rather than advancing to 4,294,967,296, it wraps around and freezes at or near zero. The TCP clock, in effect, stops.

/* Simplified illustration of the overflow */
uint32_t tcp_now = 4294967295; // Maximum value
tcp_now++;                        // Wraps to 0 — clock freezes

/* TIME_WAIT cleanup depends on tcp_now advancing */
if (tcp_now - conn->start_time > TIMEOUT) {
    expire_connection(conn);      // Never fires after overflow
}

The consequences cascade quickly. The TCP stack uses tcp_now to manage TIME_WAIT states — a period during which recently closed connections are held briefly to prevent stale data from interfering with new connections. When tcp_now freezes, the expiry logic that cleans up these TIME_WAIT connections stops working entirely. Old connection slots are never reclaimed.

Every new TCP connection consumes one of the system’s 65,536 available ephemeral port slots. With cleanup halted, these slots fill up progressively. On a busy server handling thousands of connections per hour, exhaustion can occur within minutes of the overflow. On a lightly used home machine, it might take longer — but the outcome is inevitable. Once all ports are consumed, no new TCP connections can be made.

Why RFC 7323 Exists — and Apple Ignored It

This is not an unforeseen edge case. The Internet Engineering Task Force addressed timestamp clock overflow explicitly in RFC 7323, a standard governing TCP performance extensions that has been in place for years. The standard defines exactly how implementations should handle the moment when a timestamp counter wraps around — using modular arithmetic and careful comparison logic that remains correct even after overflow.

Apple’s XNU kernel does not follow this specification correctly. Rather than applying RFC 7323-compliant overflow-safe comparisons, the kernel performs straightforward integer comparisons that produce incorrect results once tcp_now has wrapped. The standard anticipated this precise scenario; Apple’s implementation simply did not account for it.

The Failure Signature: Silent and Deceptive

What makes this bug particularly treacherous for systems administrators is how it presents. Unlike a kernel panic or a crashed process, the machine continues operating normally in every superficial sense. ICMP (ping) traffic is handled by a separate mechanism and remains fully functional. Long-running TCP sessions — an open SSH connection, an active database session — stay alive because they do not need to negotiate new connections.

Only attempts to open new TCP connections fail. Web requests time out. New SSH sessions are refused. API calls go unanswered. A monitoring dashboard might show the machine as “up” while it is, in practical terms, completely isolated from the network for new work.

An Echo from 1999: Windows 98’s 49.7-Day Crash

Long-time software engineers may experience a sense of déjà vu. In 1999, Windows 98 was found to suffer from its own 49.7-day failure — caused by a different but structurally identical integer overflow in the system’s timer infrastructure. That bug, widely reported and eventually patched by Microsoft, became a cautionary example of the dangers of 32-bit counters in long-running systems.

The macOS incarnation is in some ways more insidious: Windows 98 would crash hard and visibly, forcing an immediate reboot and restart. The macOS bug allows the machine to keep running indefinitely while silently becoming useless for any new network work — a failure mode that could go undetected for hours in lower-traffic environments.

Broader Context: Not Universally Reproduced

It is worth noting that community reports following Photon’s disclosure have been mixed. At least one developer reported running a Mac server continuously through multiple macOS versions — from Catalina through Sequoia — for months at a time without encountering the problem. Another user reported being past the 50-day uptime mark on macOS 15.7.4 without networking issues.

These observations suggest the failure may depend on the volume and pattern of network traffic. A lightly used machine that opens few TCP connections per day will exhaust its port pool far more slowly than a busy server handling constant traffic. In low-traffic scenarios, the machine might theoretically operate for some time past the 49.7-day mark before symptoms become apparent — but the underlying clock remains frozen, and failure is a matter of when, not if, under continued operation.

Current Mitigation and the Path to a Fix

For now, the only confirmed workaround is a periodic reboot before the 49.7-day mark is reached. For most Mac users this is a non-issue — regular software updates and ordinary usage patterns ensure machines restart well within this window. Administrators of always-on Mac systems should implement scheduled reboots with a cycle of 30 to 45 days as a conservative precaution.

Photon has stated it is researching an alternative mitigation that would not require a full system restart, but has acknowledged that a proper, lasting fix requires Apple to update the XNU kernel — replacing the non-compliant integer comparison logic with RFC 7323-compliant overflow-safe arithmetic. As of publication, Apple has not publicly commented on the disclosure or committed to a timeline for a patch.

The fix itself, technically, should not be complex. Changing tcp_now from a 32-bit to a 64-bit counter, or implementing the modular arithmetic approach prescribed by RFC 7323, would resolve the issue. The standard for doing so correctly has existed for years. Whether Apple acts quickly or allows the bug to linger in shipping software remains to be seen.

Conclusion

The Photon disclosure is a reminder that obscure, low-level bugs in mature operating systems can persist undetected for years — not because they are impossible to find, but because the conditions required to trigger them are unusual enough that most users never encounter them. macOS was not designed with always-on, server-like usage in mind, and its TCP stack reflects that. For a platform increasingly positioned as a capable professional and creative workstation, a decades-old networking standard going unimplemented is a notable gap.

Until Apple ships a kernel patch, the advice is straightforward: if you rely on a Mac for continuous, networked operation, schedule a reboot before the seven-week mark. It is an awkward workaround for what should be a textbook fix — but for now, it is the only one available.