AI-Assisted Hack Bypasses Apple’s Five-Year Memory Safety Defense in Five Days

Anthropic has been sitting on an AI tool called Claude Mythos that is apparently so adept at sniffing out software security holes that the company refused to ship it to the general public. Instead, a handpicked group of security researchers and enterprise partners got the keys. We now have a live demonstration of what it can do — and the target is Apple’s freshly fortified M5 silicon.

Key Takeaways:

• Researchers at Palo Alto-based Calif used Claude Mythos Preview to build the first publicly disclosed macOS kernel memory corruption exploit on Apple’s M5 chip, surviving the company’s new Memory Integrity Enforcement protection.

• The full exploit chain — from unprivileged local user to root shell — came together in roughly five days of work, after Apple had spent five years and an estimated multi-billion-dollar budget engineering the defense it bypassed.

• Calif disclosed the bug to Apple in person at Cupertino and will publish a 55-page technical writeup only after a patch ships; macOS Tahoe 26.5 already credits Calif and Anthropic Research for related fixes.

The Wall Street Journal first reported the work, which comes from a Palo Alto outfit called Calif. In a blog post published Thursday, the team described what they pulled off as the “first public macOS kernel memory corruption exploit on Apple M5.” Strip away the jargon and the takeaway is uncomfortable: an unprivileged local user can ride this chain all the way up to full device control.

Their write-up describes a chain involving “two vulnerabilities and several techniques.” The headline detail, though, is the assistant. Anthropic’s Claude Mythos Preview helped surface the bugs and walked alongside the humans through exploit development.

“Mythos Preview is powerful: once it has learned how to attack a class of problems, it generalizes to nearly any problem in that class. Mythos discovered the bugs quickly because they belong to known bug classes,” the post said.

Whether the specific flaws Calif found have already been patched is muddy. MacRumors noted that Apple’s release notes for macOS Tahoe 26.5, which shipped Monday, mention a fix for a bug submitted by Calif together with Claude and Anthropic Research, and Calif is credited in two other vulnerability advisories. But Calif’s own post says the team met with Apple “early this week,” which suggests the fix for this particular chain may still be inbound. “Full technical details will be shared after Apple fixes the vulnerabilities and attack path,” the researchers wrote.

An Apple spokesperson sent the WSJ a familiar line: “Security is our top priority, and we take reports of potential vulnerabilities very seriously.”

Why this particular crack matters

Apple did not stumble into this. The company has been hardening its silicon against exactly this category of attack for half a decade. The marquee result is MIE, or Memory Integrity Enforcement — a hardware-assisted memory safety system built on ARM’s Memory Tagging Extension (MTE). MIE was introduced as the flagship defense on the M5 and A19, aimed squarely at memory corruption, the bug class behind some of the nastiest iOS and macOS compromises ever pulled off.

By Apple’s own research, MIE breaks every publicly known exploit chain against modern iOS, including the leaked Coruna and Darksword toolkits. Many in the security community consider Apple devices the most locked-down consumer hardware money can buy. The investment, by Apple’s accounting, has run into the billions.

Calif’s chain pokes a hole in that picture — not because MIE is broken in some catastrophic way, but because the right pair of bugs plus the right helper still gets you in.

How the chain came together

The discovery itself was, by Calif’s own admission, partly accidental. Bruce Dang found the bugs on April 25. Dion Blazakis joined the company two days later. Josh Maine built the tooling. By May 1, the team had a working exploit.

The result is a data-only kernel local privilege escalation chain aimed at macOS 26.4.1 (25E253). It begins as an unprivileged local user, uses only ordinary system calls, and ends with a root shell. The target is bare-metal M5 hardware with kernel MIE switched on. Two vulnerabilities, several techniques, one path to the top.

Mythos Preview did not act alone. The Calif researchers were careful to credit human expertise: the model is fluent at recognizing known bug classes and racing through them, but a brand-new mitigation like MIE still benefits from a person who knows where to push.

“Part of our motivation was to test what’s possible when the best models are paired with experts. Landing a kernel memory corruption exploit against the best protections in a week is noteworthy, and says something strong about this pairing,” the team wrote.

An in-person disclosure, laser printed

Rather than dumping the report into Apple’s submission queue, Calif drove to Apple Park and handed it over in person — laser printed, as a nod to hacker tradition. The team wanted to avoid the fate of recent Pwn2Own participants whose reports got swamped in volume, and also, by their telling, wanted a small edge in the race for Twitter glory.

“Most respected hackers avoid human interaction whenever possible, so this physical strategy may give us a slight edge in the eternal race for five minutes of fame and glory on Twitter,” they wrote.

The 55-page technical breakdown is being held back until Apple ships a fix.

The bigger picture

MIE was never sold as unbreakable. Mitigations exist to make attacks more expensive, not impossible — and Apple controls enough of the stack to make that price tag punishing. But Calif’s point is that the cost calculus is being rewritten while we watch. AI-assisted bug discovery is here, it generalizes well within known bug families, and even hardware-backed defenses designed for years can give way when expert humans pair with a capable model.

“This work is a glimpse of what is coming. Apple built MIE in a world before Mythos Preview. We’re about to learn how the best mitigation technology on Earth holds up during the first AI bugmageddon,” the researchers wrote.

There is a quieter note at the end of their post worth keeping in mind. The Calif team mentioned that Apple’s hosts told them the spaceship campus cost roughly $5 billion. Asked about their own office, they said it came in well under $1 billion. The asymmetry is the entire story: small teams armed with capable AI can now do work that, until recently, required the kind of headcount and budget only a handful of organizations could field.

Written by Alius Noreika