[BUG] Deterministic Bun segfault at 0xCD on Windows 10 — Trend Micro Apex One DLLs (TmUmEvt64 / Wtmmon64) in crash stack; 2.1.112 (Node) works, 2.1.113+ (Bun) crash
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Every Claude Code version from 2.1.113 onward (Bun-compiled claude.exe) deterministically segfaults at startup on my Windows 10 machine. The last Node-based release, 2.1.112, works perfectly. The crash stack trace contains DLLs belonging to Trend Micro Apex One (TmUmEvt64.dll, Wtmmon64.dll) — a centrally managed third-party security agent that DLL-injects into user processes. Bun (1.3.14, Windows x64 baseline) panics with a null-pointer-style segfault at address 0xCD during startup. 100% reproducible across reboots. This is distinct from prior issues (#55219, #52817, #28544) which had different addresses and no third-party DLL in the trace.
What Should Happen?
claude should launch and reach the interactive prompt without crashing, regardless of Trend Micro Apex One's process monitoring being active. Either Bun's startup needs to be hardened against this AV's DLL injection, or Claude Code should offer a Node-runtime distribution as a fallback (as it shipped pre-2.1.113).
Error Messages/Logs
============================================================
Bun v1.3.14 (2a41ca97) Windows x64 (baseline)
Windows v.win10_cu7
Args: "C:\Users\<user>\AppData\Roaming\npm\node_modules\@anthropic-ai\claude-code\bin\claude.exe" "--dangerously-skip-permissions"
Elapsed: 37886ms | User: 20859ms | Sys: 2125ms
RSS: 0.45GB | Peak: 0.52GB | Commit: 0.62GB | Faults: 174278 | Machine: 68.63GB
Features: http_client_proxy(16) jsc spawn(20) standalone_executable yaml_parse(4) claude_code
Builtins: "bun:ffi" "bun:main" "node:assert" "node:async_hooks" "node:buffer" "node:child_process" "node:constants" "node:crypto" "node:dns" "node:events" "node:fs" "node:fs/promises" "node:http" "node:https" "node:module" "node:net" "node:os" "node:path" "node:path/posix" "node:path/win32" "node:perf_hooks" "node:process" "node:readline" "node:stream" "node:stream/consumers" "node:stream/promises" "node:string_decoder" "node:timers/promises" "node:tls" "node:tty" "node:url" "node:util" "node:vm" "node:zlib" "undici" "ws" "node:http2"
panic(thread 23832): Segmentation fault at address 0xCD
oh no: Bun has crashed. This indicates a bug in Bun, not your code.
To send a redacted crash report to Bun's team,
please file a GitHub issue using the link below:
https://bun.report/1.3.14/e_12a41ca9mgggkEuhogDCSntdll.dllw0qMCSntdll.dllgkoMCSntdll.dll2nnMCYKERNEL32.DLLwkICaTmUmEvt64.dlls65OCaTmUmEvt64.dllw7idCaTmUmEvt64.dlluyrLCaTmUmEvt64.dll27rOCaTmUmEvt64.dll4gxOCaTmUmEvt64.dll4n5eCaTmUmEvt64.dllguxQCaTmUmEvt64.dll0ygaCWtmmon64.dlls8JCWtmmon64.dllk3rbCWtmmon64.dll2ktbCWtmmon64.dlliprmC65t0SA2A6M
Steps to Reproduce
- On a Windows 10 host with Trend Micro Apex One Antivirus running (processes:
Ntrtscan,PccNTMon,TmCCSF,TmListen,TmPfw,TmWSCSvc). npm install -g @anthropic-ai/claude-code@2.1.173(or any version from 2.1.113 onward).- From PowerShell:
claude --versionorclaude --dangerously-skip-permissions. - Process panics with the segfault shown above within seconds. 100% reproducible.
Confirmed clean downgrade: npm install -g @anthropic-ai/claude-code@2.1.112 immediately restores full functionality with no other system changes — the only delta is Bun-vs-Node runtime in the package. PATH, env, and Trend Micro config are untouched.
Claude Model
Opus
Is this a regression?
Yes, this worked in a previous version
Last Working Version
2.1.112
Claude Code Version
2.1.173
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
PowerShell
Additional Information
Stack frame analysis (decoded from the bun.report URL, in call order):
ntdll.dll×4 — early process initKERNEL32.DLL×1TmUmEvt64.dll×8 — Trend Micro User Mode Event Monitor (injected hooks)Wtmmon64.dll×4 — Trend Micro Web Threat Monitor (injected hooks)- Final fault inside Bun-compiled code
The Trend Micro DLLs sit between Windows loader code and Bun's own initialization. The 0xCD fault address is consistent with a null-pointer dereference after Trend Micro hooks have mutated state Bun reads during startup.
(also tried CMD — same crash)
(also tested 2.1.113 and 2.1.114 — same crash)
Hardware
- CPU: Intel Xeon E5-2630 v4 @ 2.20GHz (has AVX2; Bun still chose the "baseline" build)
- RAM: 64 GB
Security agent
- Trend Micro Apex One Antivirus (centrally managed by IT — cannot disable or add exclusions locally)
- Running processes:
Ntrtscan,PccNTMon,TmCCSF,TmListen,TmPfw,TmWSCSvc - DLLs visible in crash trace:
TmUmEvt64.dll,Wtmmon64.dll
Related issues (different stacks — not duplicates)
- #55219 — Windows 11 startup segfault at 0x3C in
USER32.dll(closed as not planned) - #54530 — 2.1.122 / Bun 1.3.14 segfault at 0x38
- #52817 — Bun segfault at 0x35C23800000
- #28544 — Bun segfault at 0xFFFFFFFFFFFFFFFF
- #51477 — i7-13700H Bun segfault
- #11201 — VS Code extension Bun 1.3.1 crash
None of those mention a specific third-party security DLL in the trace, so I'm filing this separately to surface the Trend Micro Apex One conflict explicitly.
Asks (in order of preference)
- Investigate a Bun-side hardening / workaround for Trend Micro's DLL injection (and ideally other common Windows EDR/AV agents). If reproducible inside a Bun-only repro, this likely belongs upstream at
oven-sh/bunand I'm happy to file there too. - Provide an opt-in Node-runtime distribution (or a
claude-code-nodepackage). 2.1.112'scli.jswas the only thing that worked in this environment, and a corporate-managed AV is not something most users can change. - Document Trend Micro Apex One (and similar managed EDRs) as a known-incompatible environment, with the exclusion paths IT needs to whitelist (
node_modules\@anthropic-ai\claude-code\bin\claude.exeplus any install staging dir).
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗