[BUG] CRITICAL: Claude Code Native Binary Contains Memory Safety Bugs (Uninitialized Memory)

Resolved 💬 3 comments Opened Feb 9, 2026 by yassirusa Closed Feb 9, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Description

Claude Code native binary (v2.1.37) contains serious memory safety violations detected via valgrind. The binary exhibits:

  1. Extensive use of uninitialized memory
  2. Conditional operations on garbage values
  3. Resulting in unbounded memory growth causing system-wide hangs

Environment

  • Claude Code version: 2.1.37 (native binary)
  • Installation method: Native binary (~/.local/share/claude/versions/2.1.37)
  • Operating System: Ubuntu 24.04 LTS (VMware VM)
  • System Resources: 36GB RAM, 16 CPUs (Intel Core i9-12900H), NVMe PCI-4 storage
  • Valgrind version: Default Ubuntu package

Root Cause Analysis

The native binary exhibits textbook memory safety violations:

  1. Uninitialized Memory Usage: Variables are read before being initialized, leading to unpredictable behavior
  2. Conditional Logic on Garbage: The binary makes control flow decisions based on uninitialized values
  3. No Debug Symbols: Binary is stripped, preventing precise error identification
  4. Resulting Memory Corruption: These violations cascade into unbounded memory growth

Observable Impact

These memory safety bugs directly cause:

  • Unbounded virtual memory growth (76GB+ observed after 71 hours)
  • Resident memory accumulation (2.1GB reported)
  • System-wide I/O thrashing (46.9% I/O wait)
  • Complete VM freeze requiring hard restart
  • Load average spike to 135+ on 16-core system
  • kswapd0 kernel process at 100% CPU (memory management failure)

Actual Behavior

Claude Code:

  • Uses uninitialized memory systematically
  • Generates numerous valgrind warnings immediately on startup
  • Grows unbounded in virtual memory over extended sessions
  • Eventually freezes entire system

Severity

CRITICAL - This is a memory safety bug in a production tool, distributed to all users. The native binary (now the recommended installation method) is fundamentally unsafe.

Additional Context

  • Binary is stripped, making debugging difficult. Consider distributing with debug symbols or using AddressSanitizer during development
  • NODE_OPTIONS memory limits do not apply (native binary, not Node.js)
  • Issue reproducible with fresh installation
  • Affects native binary specifically (not npm version)
  • Valgrind detection indicates compiler-level bug, not runtime configuration issue

Suggested Actions

  1. Immediate: Recompile native binary with AddressSanitizer (ASAN) to catch memory errors at runtime
  2. Short-term: Publish patched v2.1.38 with memory safety fixes
  3. Long-term: Implement continuous memory safety testing in CI/CD
  4. Documentation: Update installation docs to note this is a known issue being addressed

What Should Happen?

Expected Behavior

Claude Code should:

  • Initialize all memory before use
  • Contain no valgrind-detectable memory safety issues
  • Respect system memory constraints
  • Not cause system-wide swap thrashing

Error Messages/Logs

Running valgrind on the native binary reveals systematic memory safety issues. Within 2 seconds of execution, valgrind reported numerous memory safety violations:


==9321== Use of uninitialised value of size 8
==9321==    at 0x58A4638: ??? (in /home/user/.local/share/claude/versions/2.1.37)
==9321==    by 0x58A5BF7: ??? (in /home/user/.local/share/claude/versions/2.1.37)
==9321==    by 0x410D631: ??? (in /home/user/.local/share/claude/versions/2.1.37)
...

==9321== Conditional jump or move depends on uninitialised value(s)
==9321==    at 0x5841F28: ??? (in /home/user/.local/share/claude/versions/2.1.37)
==9321==    by 0x58A5BF7: ??? (in /home/user/.local/share/claude/versions/2.1.37)


These errors accumulated rapidly, filling terminal output within seconds of startup.

Steps to Reproduce

  1. Install Claude Code native binary v2.1.37
  2. Install valgrind: sudo apt install valgrind
  3. Run: valgrind --leak-check=full $(which claude)
  4. Observe "Use of uninitialised value" errors appearing within seconds

Claude Model

Not sure / Multiple models

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.37

Platform

Anthropic API

Operating System

Ubuntu/Debian Linux

Terminal/Shell

Windows Terminal

Additional Information

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗