Summary
A kernel panic occurred on 2026-06-12 caused by opencode exhausting the macOS kernel zone map through an apparent memory leak in the data.kalloc.1024 zone, triggered via the EndpointSecurity kext.
Environment
| Field |
Value |
| OS |
macOS 26.3 (25D125) |
| Kernel |
Darwin 25.3.0 — xnu-12377.81.4~5/RELEASE_ARM64_T6000 |
| Chip |
Apple M1 Pro (T6000) |
| Date/Time |
2026-06-12 14:37:57 +0800 |
| Panicked process |
opencode.exe (PID 33091) |
Panic String
panic(cpu 2 caller 0xfffffe0029931d58): zalloc[3]: zone map exhausted while
allocating from zone [data.kalloc.1024], likely due to memory leak in zone
[data.kalloc.1024] (20G, 21182160 elements allocated) @zalloc.c:4534
Largest Zones at Time of Crash
| Zone |
Size |
Free |
data.kalloc.1024 |
20 GB |
0 B |
APFS_INODES |
106 MB |
211 KB |
compressor_segment |
60 MB |
14 MB |
The data.kalloc.1024 zone consumed the entire zone map (20 GB, 21,182,160 elements) with zero bytes remaining.
Backtrace (Panicked Thread tid 22229811)
Panicked task 0xfffffe2e9f38eb70: 31766 pages, 29 threads: pid 33091: opencode.exe
Panicked thread: 0xfffffe1d3b075fc0, backtrace: 0xfffffecc1c4dad30, tid: 22229811
lr: 0xfffffe00298adcf0 fp: 0xfffffecc1c4dadc0
lr: 0xfffffe0029a1e60c fp: 0xfffffecc1c4dae30
lr: 0xfffffe0029a1c804 fp: 0xfffffecc1c4daef0
lr: 0xfffffe0029853b88 fp: 0xfffffecc1c4daf00
lr: 0xfffffe00298adfbc fp: 0xfffffecc1c4db3e0
lr: 0xfffffe002a1b5854 fp: 0xfffffecc1c4db400
lr: 0xfffffe0029931d58 fp: 0xfffffecc1c4db600 ← zalloc panic site
lr: 0xfffffe00299357f8 fp: 0xfffffecc1c4db680
lr: 0xfffffe0029aa8fcc fp: 0xfffffecc1c4db960
lr: 0xfffffe0029acdcdc fp: 0xfffffecc1c4db9b0
lr: 0xfffffe002b9e3138 fp: 0xfffffecc1c4dba30 ← EndpointSecurity entry
lr: 0xfffffe002ba12808 fp: 0xfffffecc1c4dbb60
lr: 0xfffffe002ba12b18 fp: 0xfffffecc1c4dbb80
lr: 0xfffffe002a194b68 fp: 0xfffffecc1c4dbbe0
lr: 0xfffffe0029afb3c0 fp: 0xfffffecc1c4dbc30
lr: 0xfffffe0029ae6a3c fp: 0xfffffecc1c4dbde0
lr: 0xfffffe0029faf504 fp: 0xfffffecc1c4dbe50
lr: 0xfffffe0029a1c88c fp: 0xfffffecc1c4dbf10
lr: 0xfffffe0029853b88 fp: 0xfffffecc1c4dbf20
lr: 0x000000018d41483c fp: 0x0000000000000000
Kernel Extensions in backtrace:
com.apple.iokit.EndpointSecurity(1.0)[63D37344-1EF0-3E77-95AC-44E720AEBA86]
@ 0xfffffe002b9d6a80 -> 0xfffffe002ba65823
Analysis
The panic trace goes through com.apple.iokit.EndpointSecurity, the macOS security event framework used for monitoring filesystem and process events. opencode appears to be subscribing to EndpointSecurity events in a way that causes the kernel to allocate kalloc.1024 objects without ever releasing them — 21 million allocations over the session, consuming 20 GB of kernel zone map space, ultimately causing the machine to hard-panic and reboot.
Hypothesis: opencode's file-watching / process-monitoring code registers EndpointSecurity event handlers but leaks the associated kernel objects (possibly es_message_t buffers or related notification structures) over time. Under sustained use, this compounds until zone exhaustion.
Steps to Reproduce
- Run opencode for an extended session (exact duration unknown — crash occurred mid-session)
- Kernel panic occurs without warning; machine reboots
Impact
- Severity: Critical — causes a hard kernel panic and forced reboot, losing all unsaved work
- Machine must be restarted; no graceful shutdown
Diagnostic Files
- Full panic log:
/Library/Logs/DiagnosticReports/panic-full-2026-06-12-143757.0002.panic (2.4 MB)
- Reset counter diag:
/Library/Logs/DiagnosticReports/ResetCounter-2026-06-12-143801.diag
- Boot faults recorded:
wdog, reset_in1
- Incident ID:
FB6F2EC5-E99D-45FC-984B-EE99D8B27889
Suggested Fix
Audit all EndpointSecurity client usage for missing es_release_message() / es_delete_client() calls. Ensure that every es_message_t received via the event handler block is released after processing, and that the ES client is properly torn down on shutdown.
Summary
A kernel panic occurred on 2026-06-12 caused by opencode exhausting the macOS kernel zone map through an apparent memory leak in the
data.kalloc.1024zone, triggered via the EndpointSecurity kext.Environment
xnu-12377.81.4~5/RELEASE_ARM64_T6000opencode.exe(PID 33091)Panic String
Largest Zones at Time of Crash
data.kalloc.1024APFS_INODEScompressor_segmentThe
data.kalloc.1024zone consumed the entire zone map (20 GB, 21,182,160 elements) with zero bytes remaining.Backtrace (Panicked Thread tid 22229811)
Analysis
The panic trace goes through
com.apple.iokit.EndpointSecurity, the macOS security event framework used for monitoring filesystem and process events. opencode appears to be subscribing to EndpointSecurity events in a way that causes the kernel to allocatekalloc.1024objects without ever releasing them — 21 million allocations over the session, consuming 20 GB of kernel zone map space, ultimately causing the machine to hard-panic and reboot.Hypothesis: opencode's file-watching / process-monitoring code registers EndpointSecurity event handlers but leaks the associated kernel objects (possibly
es_message_tbuffers or related notification structures) over time. Under sustained use, this compounds until zone exhaustion.Steps to Reproduce
Impact
Diagnostic Files
/Library/Logs/DiagnosticReports/panic-full-2026-06-12-143757.0002.panic(2.4 MB)/Library/Logs/DiagnosticReports/ResetCounter-2026-06-12-143801.diagwdog, reset_in1FB6F2EC5-E99D-45FC-984B-EE99D8B27889Suggested Fix
Audit all EndpointSecurity client usage for missing
es_release_message()/es_delete_client()calls. Ensure that everyes_message_treceived via the event handler block is released after processing, and that the ES client is properly torn down on shutdown.