Security researchers say they have built the first public macOS kernel memory corruption exploit on Apple’s M5 silicon, bypassing Apple’s Memory Integrity Enforcement (MIE) system with the help of Anthropic’s Claude Mythos model.
The exploit is highly significant as MIE is a hardware assisted security system built into Apple’s M5 and A19 chips. It was specifically designed to prevent exactly this kind of memory corruption exploit.
Calif researchers Bruce Dang, Dion Blazakis and Josh Maine, first identified the vulnerabilities in April. Using Mythos, it took them less than a week to have a working exploit. Mythos helped them find the bugs and assisted throughout exploit development.
“To the best of our knowledge, this is the first public macOS kernel exploit on MIE hardware,” the researchers said.
The privilege escalation exploit targets macOS 26.4.1 (25E253). It starts with an unprivileged local user, uses only normal system calls, and ends with a root shell. The path involves two vulnerabilities and multiple techniques, targeting M5 hardware with kernel MIE enabled.
If chained together with other attacks, it could allow an attacker to take control of a Mac device. You can watch a full POC of the exploit below:
“Mythos Preview is powerful: once it has learned how to attack a class of problems, it generalizes to nearly any problem in that class,” the researchers said. “Mythos discovered the bugs quickly because they belong to known bug classes.”
But Mythos couldn’t do it alone. The researchers’ own human expertise was still required in bypassing MIE’s controls. What this does show is that human experts, combined with powerful frontier models, can effectively find vulnerabilities in even the most secure memory systems.
Calif presented a 55-page report to Apple in person at its Cupertino headquarters on Tuesday. The WSJ reports Apple is currently reviewing the findings. The researchers will release a full report after Apple fixes the vulnerabilities.
Are Frontier Models Becoming More Effective?
The Calif exploit is the latest example of AI-assisted vulnerability research producing real-world results against high-value targets.
Claude Mythos is only available in Preview mode to selected vetted partners, as part of Anthropic’s Project Glasswing program. Anthropic has deemed the model ‘too dangerous’ for general release due to its ability to identify software vulnerabilities.
Since the Preview became available, Claude Mythos has been used to find hundreds of vulnerabilities. Last month, Mythos was used to identify 271 security vulnerabilities in Firefox after Mozilla ran the model through the browser’s codebase.
“In a few weeks of testing, Mythos Preview has helped them find many thousands of (estimated) high + critical severity vulnerabilities, sometimes double what they’d normally find in a year,” Logan Graham, the Head of Project Glasswing wrote on X this week.
On Wednesday, the UK’s AI Security Institute released new research showing that AI models’ cyber capabilities are quickly advancing. Testing a newer Mythos Preview checkpoint, the model was able to effectively complete a full attack in 6/10 attempts.
“Stronger AI cyber capabilities are already producing tangible opportunities and risks,” the agency wrote. “The time to invest in strong security baselines is now. Frontier AI can strengthen attackers as well as defenders, and there is a critical window to build resilience.”
