Mythos Preview Used to Create First Public macOS M5 Kernel Exploit

For the first time publicly, Apple’s M5 chip has been compromised through a macOS kernel memory corruption attack, successfully sidestepping the company’s advanced hardware-level memory protections.

Security researchers Bruce Dang, Dion Blazakis, and Josh Maine, operating under the name Calif, crafted a working kernel local privilege escalation (LPE) exploit targeting macOS 26.4.1 (build 25E253) on bare-metal M5 hardware. The attack chain begins from an unprivileged local user account, relies solely on standard system calls, and ultimately grants a full root shell , all while Apple’s Memory Integrity Enforcement (MIE) remains active.

The team identified the two underlying bugs on April 25, joined forces two days later, and had a fully functional exploit running by May 1.

Rather than funneling their discovery through Apple’s standard bug bounty program, the researchers walked a 55-page printed report directly into Apple Park in Cupertino. This deliberate move was meant to bypass the congested submission queues that often plague events like Pwn2Own. Full technical details will be released only after Apple ships a patch.

Memory Integrity Enforcement is Apple’s hardware-assisted memory safety system, built on ARM’s Memory Tagging Extension (MTE) architecture. Introduced as the flagship security feature of the M5 and A19 chips, Apple spent five years , and reportedly billions of dollars , engineering MIE to specifically disrupt kernel memory corruption exploits. According to Apple’s own internal research, MIE neutralizes every known public exploit chain against modern iOS, including the leaked Coruna and Darksword exploit kits.

The breakthrough was made possible in part by Anthropic’s Mythos Preview, a powerful AI model that helped identify the two vulnerabilities and assisted throughout the exploit development process. Calif describes the model as capable of generalizing attack patterns across entire vulnerability classes once it learns a problem type. The bugs were discovered quickly because they fall within known bug classes; however, autonomously bypassing MIE still required significant human expertise, underscoring the power of a human-AI pairing.

The five-day development timeline against a protection that took Apple five years to build is being cited as a significant benchmark for AI-assisted offensive security research. Memory corruption remains the most prevalent vulnerability class across all modern platforms, including iOS and macOS. Security mitigations like MIE are designed to raise the cost of exploitation, not make it impossible.

This research demonstrates that as AI models grow more capable at surfacing unknown bugs in known classes, even best-in-class hardware mitigations face a narrowing window of effectiveness. Calif frames the exploit as a preview of what it calls the “AI bugmageddon” era , a period where small, AI-augmented security teams can achieve what previously required large, well-funded organizations.

Apple was built in a world before Mythos Preview; this exploit signals that the calculus of hardware security is already beginning to shift. Apple is reportedly working on a fix. Until a patch is released, systems running macOS 26.4.1 on M5 hardware remain at theoretical risk from local privilege escalation via this unpublished chain.