What React Native libraries do you use?
React Navigation, Hermes, RN New Architecture, Expo (mobile only), Expo Router
Are you using sentry.io or on-premise?
sentry.io (SaS)
Are you using any other error monitoring solution alongside Sentry?
No
Other Error Monitoring Solution Name
No response
@sentry/react-native SDK Version
7.11.0
How does your development environment look like?
⬇ Place the `npx react-native@latest info` output here. ⬇
System:
OS: macOS 15.7.5
CPU: (10) arm64 Apple M4
Memory: 381.41 MB / 16.00 GB
Shell:
version: "5.9"
path: /bin/zsh
Binaries:
Node:
version: 22.22.2
path: /opt/homebrew/opt/node@22/bin/node
Yarn:
version: 4.14.1
path: /opt/homebrew/opt/node@22/bin/yarn
npm:
version: 10.9.7
path: /opt/homebrew/opt/node@22/bin/npm
Watchman: Not Found
Managers:
CocoaPods:
version: 1.16.2
path: /opt/homebrew/bin/pod
SDKs:
iOS SDK:
Platforms:
- DriverKit 25.2
- iOS 26.2
- macOS 26.2
- tvOS 26.2
- visionOS 26.2
- watchOS 26.2
Android SDK: Not Found
IDEs:
Android Studio: 2025.3 AI-253.30387.90.2532.14935130
Xcode:
version: 26.3/17C529
path: /usr/bin/xcodebuild
Languages:
Java:
version: 21.0.5
path: /usr/bin/javac
Ruby:
version: 2.6.10
path: /usr/bin/ruby
npmPackages:
"@react-native-community/cli": Not Found
react:
version: 2.6.10
path: /usr/bin/ruby
npmPackages:
"@react-native-community/cli": Not Found
react:
installed: 19.2.0
wanted: 19.2.0
react-native:
installed: 0.83.6
wanted: 0.83.6
react-native-macos: Not Found
npmGlobalPackages:
"*react-native*": Not Found
Android:
hermesEnabled: Not found (Expo-managed; Hermes enabled via Expo default)
newArchEnabled: Not found (Expo-managed; set true in app.json)
iOS:
hermesEnabled: Not found (Expo-managed; Hermes enabled via Expo default)
newArchEnabled: Not found (Expo-managed; set true in app.json)
Sentry.init()
import * as Sentry from '@sentry/react-native';
const navigationIntegration = Sentry.reactNavigationIntegration({
enableTimeToInitialDisplay: true,
});
Sentry.init({
dsn: `https://${process.env.SENTRY_DSN}`,
sampleRate: 0.25,
tracesSampleRate: 0.05,
integrations: [navigationIntegration],
enableNativeFramesTracking: true,
});Steps to Reproduce
We do not have a deterministic local reproduction. The crash occurs intermittently on real-device installs; multiple users, low overall rate. The pattern below is what every captured crash report
shares:
- Build and run an iOS app on a real device (production-style build, New Architecture enabled, Hermes enabled).
- Initialize Sentry with
reactNavigationIntegration({ enableTimeToInitialDisplay: true }) and pass the integration to Sentry.init.
- Navigate from one screen to another that pushes onto the native stack (react-native-screens + @react-navigation/native v7).
- Spend a few seconds on the pushed screen (long enough for the
ttid-navigation-<route> span to be created and resolved).
- Tap the navigation bar's back button to pop the screen.
- Within ~1ms of the third
RNSScreen ui.lifecycle breadcrumb, the app crashes with EXC_BAD_ACCESS calling an NSString primitive (-length or -fastestEncoding).
The crash does not appear to depend on any specific in-screen interaction — only that the screen was entered, a TTID span was created, and then the screen was popped. It does not reproduce
reliably on demand; it surfaces in a fraction of pop transitions.
Expected Result
App launches normally and no random crashes happen.
Actual Result
The iOS app crashes with EXC_BAD_ACCESS shortly after the user pops a screen via the navigation bar back button. Crash is captured by Sentry's native crash handler — no JS-side error is thrown beforehand. iOS only. This was never observed on Android with the same build.
Two representative reports below. Both share the same breadcrumb sequence: __backButtonAction (touch) → three RNSScreen / RNSContainerNavigationController ui.lifecycle events within ~1ms → EXC_BAD_ACCESS on an NSString primitive in the same millisecond.
Report 1 — 2026-05-11
Breadcrumbs (chronological):
touch __backButtonAction (BackButton on _UIButtonBarButton)
lifecycle parentViewController=RNSNavigationController, screen=RNSScreen
lifecycle parentViewController=RNSScreen, screen=RNSContainerNavigationController
lifecycle parentViewController=RNSContainerNavigationController, screen=RNSScreen
exception EXC_BAD_ACCESS — "fastestEncoding >\nKERN_INVALID_ADDRESS at 0x71137ea6450c20."
Report 2 — 2026-05-13
Breadcrumbs (chronological):
touch __backButtonAction (BackButton on _UIButtonBarButton)
lifecycle parentViewController=RNSNavigationController, screen=RNSScreen
lifecycle parentViewController=RNSScreen, screen=RNSContainerNavigationController
lifecycle parentViewController=RNSContainerNavigationController, screen=RNSScreen
exception EXC_BAD_ACCESS — "length > ttid-navigation- > Attempted to dereference null pointer."
Observations:
- The literal
ttid-navigation- substring in the second report's exception value is what implicates the navigation integration's TTID feature — that prefix is generated by reactNavigationIntegration({ enableTimeToInitialDisplay: true }).
- Both crash sites are NSString primitives (
-length, -fastestEncoding/-UTF8String) — consistent with a UAF on the same string family in both events.
- No JS error or warning precedes the crash.
- Both events occurred on production-style builds installed on real iOS devices in our alpha cohort.
What React Native libraries do you use?
React Navigation, Hermes, RN New Architecture, Expo (mobile only), Expo Router
Are you using sentry.io or on-premise?
sentry.io (SaS)
Are you using any other error monitoring solution alongside Sentry?
No
Other Error Monitoring Solution Name
No response
@sentry/react-native SDK Version
7.11.0
How does your development environment look like?
Sentry.init()
Steps to Reproduce
We do not have a deterministic local reproduction. The crash occurs intermittently on real-device installs; multiple users, low overall rate. The pattern below is what every captured crash report
shares:
reactNavigationIntegration({ enableTimeToInitialDisplay: true })and pass the integration toSentry.init.ttid-navigation-<route>span to be created and resolved).RNSScreenui.lifecyclebreadcrumb, the app crashes withEXC_BAD_ACCESScalling an NSString primitive (-lengthor-fastestEncoding).The crash does not appear to depend on any specific in-screen interaction — only that the screen was entered, a TTID span was created, and then the screen was popped. It does not reproduce
reliably on demand; it surfaces in a fraction of pop transitions.
Expected Result
App launches normally and no random crashes happen.
Actual Result
The iOS app crashes with
EXC_BAD_ACCESSshortly after the user pops a screen via the navigation bar back button. Crash is captured by Sentry's native crash handler — no JS-side error is thrown beforehand. iOS only. This was never observed on Android with the same build.Two representative reports below. Both share the same breadcrumb sequence:
__backButtonAction(touch) → threeRNSScreen/RNSContainerNavigationControllerui.lifecycleevents within ~1ms →EXC_BAD_ACCESSon an NSString primitive in the same millisecond.Report 1 — 2026-05-11
Breadcrumbs (chronological):
touch __backButtonAction (BackButton on _UIButtonBarButton)
lifecycle parentViewController=RNSNavigationController, screen=RNSScreen
lifecycle parentViewController=RNSScreen, screen=RNSContainerNavigationController
lifecycle parentViewController=RNSContainerNavigationController, screen=RNSScreen
exception EXC_BAD_ACCESS — "fastestEncoding >\nKERN_INVALID_ADDRESS at 0x71137ea6450c20."
Report 2 — 2026-05-13
Breadcrumbs (chronological):
touch __backButtonAction (BackButton on _UIButtonBarButton)
lifecycle parentViewController=RNSNavigationController, screen=RNSScreen
lifecycle parentViewController=RNSScreen, screen=RNSContainerNavigationController
lifecycle parentViewController=RNSContainerNavigationController, screen=RNSScreen
exception EXC_BAD_ACCESS — "length > ttid-navigation- > Attempted to dereference null pointer."
Observations:
ttid-navigation-substring in the second report's exception value is what implicates the navigation integration's TTID feature — that prefix is generated byreactNavigationIntegration({ enableTimeToInitialDisplay: true }).-length,-fastestEncoding/-UTF8String) — consistent with a UAF on the same string family in both events.