[BUG] CRITICAL: Claude Code Native Binary Contains Memory Safety Bugs (Uninitialized Memory)
Resolved 💬 3 comments Opened Feb 9, 2026 by yassirusa Closed Feb 9, 2026
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Description
Claude Code native binary (v2.1.37) contains serious memory safety violations detected via valgrind. The binary exhibits:
- Extensive use of uninitialized memory
- Conditional operations on garbage values
- Resulting in unbounded memory growth causing system-wide hangs
Environment
- Claude Code version: 2.1.37 (native binary)
- Installation method: Native binary (
~/.local/share/claude/versions/2.1.37) - Operating System: Ubuntu 24.04 LTS (VMware VM)
- System Resources: 36GB RAM, 16 CPUs (Intel Core i9-12900H), NVMe PCI-4 storage
- Valgrind version: Default Ubuntu package
Root Cause Analysis
The native binary exhibits textbook memory safety violations:
- Uninitialized Memory Usage: Variables are read before being initialized, leading to unpredictable behavior
- Conditional Logic on Garbage: The binary makes control flow decisions based on uninitialized values
- No Debug Symbols: Binary is stripped, preventing precise error identification
- Resulting Memory Corruption: These violations cascade into unbounded memory growth
Observable Impact
These memory safety bugs directly cause:
- Unbounded virtual memory growth (76GB+ observed after 71 hours)
- Resident memory accumulation (2.1GB reported)
- System-wide I/O thrashing (46.9% I/O wait)
- Complete VM freeze requiring hard restart
- Load average spike to 135+ on 16-core system
- kswapd0 kernel process at 100% CPU (memory management failure)
Actual Behavior
Claude Code:
- Uses uninitialized memory systematically
- Generates numerous valgrind warnings immediately on startup
- Grows unbounded in virtual memory over extended sessions
- Eventually freezes entire system
Severity
CRITICAL - This is a memory safety bug in a production tool, distributed to all users. The native binary (now the recommended installation method) is fundamentally unsafe.
Additional Context
- Binary is stripped, making debugging difficult. Consider distributing with debug symbols or using AddressSanitizer during development
- NODE_OPTIONS memory limits do not apply (native binary, not Node.js)
- Issue reproducible with fresh installation
- Affects native binary specifically (not npm version)
- Valgrind detection indicates compiler-level bug, not runtime configuration issue
Suggested Actions
- Immediate: Recompile native binary with AddressSanitizer (ASAN) to catch memory errors at runtime
- Short-term: Publish patched v2.1.38 with memory safety fixes
- Long-term: Implement continuous memory safety testing in CI/CD
- Documentation: Update installation docs to note this is a known issue being addressed
What Should Happen?
Expected Behavior
Claude Code should:
- Initialize all memory before use
- Contain no valgrind-detectable memory safety issues
- Respect system memory constraints
- Not cause system-wide swap thrashing
Error Messages/Logs
Running valgrind on the native binary reveals systematic memory safety issues. Within 2 seconds of execution, valgrind reported numerous memory safety violations:
==9321== Use of uninitialised value of size 8
==9321== at 0x58A4638: ??? (in /home/user/.local/share/claude/versions/2.1.37)
==9321== by 0x58A5BF7: ??? (in /home/user/.local/share/claude/versions/2.1.37)
==9321== by 0x410D631: ??? (in /home/user/.local/share/claude/versions/2.1.37)
...
==9321== Conditional jump or move depends on uninitialised value(s)
==9321== at 0x5841F28: ??? (in /home/user/.local/share/claude/versions/2.1.37)
==9321== by 0x58A5BF7: ??? (in /home/user/.local/share/claude/versions/2.1.37)
These errors accumulated rapidly, filling terminal output within seconds of startup.
Steps to Reproduce
- Install Claude Code native binary v2.1.37
- Install valgrind:
sudo apt install valgrind - Run:
valgrind --leak-check=full $(which claude) - Observe "Use of uninitialised value" errors appearing within seconds
Claude Model
Not sure / Multiple models
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.37
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
Windows Terminal
Additional Information
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗