Zombie Process - what it is, why it happens, and quick fixes

Zombie Process

What it is

A zombie process (also called defunct) is a program that already finished, but a tiny entry is still stuck in the system’s process list. This happens mostly on Linux/macOS when a “child” program ends and its “parent” hasn’t picked up the “I’m done” message yet. Zombies don’t use CPU and barely any memory—they just take a slot until they’re cleaned up.

Why it matters

One or two zombies aren’t a problem. If you see lots of them, it usually means an app is a bit buggy, and in extreme cases it can clutter the system so new processes are harder to manage.

How it works 

  • Parent starts child: an app launches a helper program.

  • Child finishes: it exits and leaves an exit status behind.

  • Waiting to be “reaped”: the parent is supposed to collect that status.

  • Zombie state: until the parent collects it, the finished child shows as defunct (Z).

  • Auto-clean: if the parent app closes, the system usually cleans up the zombie.

Red flags

  • In top/ps you see processes marked Z or defunct.

  • Many zombies all tied to the same app.

  • An app that spawns helpers (converters, renderers, plugins) keeps “leaking” zombies.

Quick fixes (for everyone)

  • Just a few? Ignore them—they’ll often clear on their own.

  • Many from one app? Close and reopen that app, or restart the computer.

  • Happens often? Update the app and your OS; report the bug to the app’s support.

For power users (optional)

  • Find the parent with ps -o ppid= -p <zombie_pid> and restart that parent process.

  • Developers: handle SIGCHLD and call wait()/waitpid() so children are reaped correctly.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • Security Software

        What it is Security software is a set of apps and services that protect your devices and data from hackers, malware, and mistakes. It covers tools like antivirus/anti-malware, firewalls, VPNs, email and web filters, intrusion detection/prevention, ...

      • Reverse Lookup

        What it is Reverse lookup is the process of taking an IP address and asking: which hostname/domain does this belong to? Instead of the usual DNS query (name → IP), it flips the direction (IP → name). This is useful for seeing who is behind an IP, ...

      • SAML (Security Assertion Markup Language)

        What it is SAML is a standard that lets you use one login to access multiple websites and apps. You sign in once at an identity provider (like your company or school account), and that provider sends a signed “assertion” to other services proving who ...

      • Permutation

        What it is A permutation is a cryptography trick that rearranges characters or bits without changing them. Think of it as shuffling the deck - the same cards, new order. By itself it only hides the order, but combined with other steps it helps build ...

      • SIEM (Security Information and Event Management)

        What it is A SIEM is a central alarm system for security. It collects logs and alerts from your apps, servers, firewalls, and cloud accounts, then puts them in one place so patterns are easier to spot. Two ideas power it: SEM (watches events live and ...