By ByteBot
Apple spent five years and reportedly billions of dollars building Memory Integrity Enforcement into the M5 chip. A three-person team at security startup Calif, armed with Anthropic’s Claude Mythos Preview, bypassed it in five days. The fix is in macOS 26.5. If you haven’t updated your M5 machine, you’re still exposed.
What MIE Was Supposed to Do
Memory Integrity Enforcement, exclusive to M5 and A19 silicon, is Apple’s answer to the class of kernel exploits that has plagued operating systems for decades. It works by assigning hardware tags to every 16-byte memory slice. Any access without the matching tag triggers an exception and kills the process — at the hardware level, with no performance cost.
In theory, MIE makes buffer overflows and use-after-free vulnerabilities impractical as exploitation vectors. Apple called it “the most significant upgrade to memory safety in the history of consumer operating systems.” That claim has aged badly.
The Exploit That Broke Through
Researchers Bruce Dang, Dion Blazakis, and Josh Maine at Calif discovered two kernel bugs on April 25, 2026. By May 1 — five days later — they had a working local privilege escalation chain running on bare-metal M5 hardware with MIE fully enabled. The exploit starts from an unprivileged user account, uses only standard system calls, and produces a root shell.
What makes this technically significant is the attack class: data-only exploitation. The team never triggered a memory tag exception because they never performed memory corruption. Instead, they manipulated kernel data structures through logic flaws — specifically a vulnerability in the _zalloc_ro_mut kernel allocator — changing privileged state without touching protected memory. MIE had nothing to intercept.
Apple shipped macOS Tahoe 26.5 on May 11, patching CVE-2026-28952 with an overflow check earlier in _zalloc_ro_mut and per-CPU allocation bounds. The release notes credited “Calif together with Claude and Anthropic Research” — a vendor crediting an AI tool by name in a security advisory is worth noting.
What Claude Mythos Actually Did
Mythos Preview, Anthropic’s restricted security-focused model available to roughly 40 partner organizations via Project Glasswing, identified both vulnerabilities during the research. The researchers described its core capability plainly: “Once it has learned how to attack a class of problems, it generalizes to nearly any problem in that class.”
This is not AI writing exploit code. It is AI pattern-matching at scale across a vulnerability class, surfacing candidates that would take a human researcher significantly longer to find manually. Human judgment handled the strategic decisions — particularly the MIE bypass approach — while Mythos handled the reconnaissance.
The implication is uncomfortable: the same capability that accelerates defensive security research accelerates offensive research equally well. The difference is access. Mythos is restricted today. The techniques it demonstrates will not remain restricted.
What Developers on M5 Hardware Must Do
The immediate action is straightforward: update to macOS 26.5 or later. Any M5 machine running macOS 26.4.x is still vulnerable to CVE-2026-28952.
The longer-term picture is more complicated. Apple’s patch fixes the specific allocator bug Calif exploited, but data-only attacks against the kernel are a class problem, not a bug problem. The 26.5 fix closes one instance of the vulnerability, not the category. Calif is holding back a 55-page technical report until patching reaches sufficient adoption.
For developers writing systems software or kernel extensions targeting M5, a few principles carry more weight after this disclosure:
- Hardware mitigations like MIE raise exploitation costs — they do not eliminate vulnerability classes
- Data-only attacks require no memory corruption; memory-safe languages help with underlying bugs but don’t address logic flaws in data handling
- Automated patch deployment for macOS fleets is no longer optional for organizations running M5 hardware
The Bigger Picture
The 5-day timeline is the real story. Nation-state actors have had AI-assisted exploit research capability for longer than the public has known. What Calif demonstrated is that a small, well-resourced team with access to a frontier security model can compress research timelines dramatically. The economics of kernel exploitation are shifting.
Apple’s MIE remains valuable — it raises the bar meaningfully for the majority of exploit attempts. But “raises the bar” is different from “makes exploitation infeasible,” and the industry spent too long treating them as equivalent. The data-only attack class was always present in the kernel. It took AI pattern recognition operating at scale to find it in five days instead of five years.
Calif’s full technical report drops after macOS 26.5 adoption widens. When it does, expect the data-only LPE playbook to become significantly better understood — by defenders and attackers alike. The HN thread is already active with researchers trading notes.
