CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 17, 2026

First Public macOS Kernel Exploit on Apple M5 Prepared Using Mythos Preview in Five Days

Cybersecurity News Archived May 17, 2026 ✓ Full text saved

Apple’s M5 silicon has reportedly been exploited for the first time in a public macOS kernel memory corruption attack, successfully bypassing the company’s notable hardware-level memory protection. Researchers from Calif, Bruce Dang, Dion Blazakis, and Josh Maine, developed a working kernel local privilege escalation (LPE) exploit targeting macOS 26.4.1 (25E253) on bare-metal M5 hardware. The […] The post First Public macOS Kernel Exploit on Apple M5 Prepared Using Mythos Preview in Five Days ap

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News First Public macOS Kernel Exploit on Apple M5 Prepared Using Mythos Preview in Five Days By Guru Baran May 17, 2026 Apple’s M5 silicon has reportedly been exploited for the first time in a public macOS kernel memory corruption attack, successfully bypassing the company’s notable hardware-level memory protection. Researchers from Calif, Bruce Dang, Dion Blazakis, and Josh Maine, developed a working kernel local privilege escalation (LPE) exploit targeting macOS 26.4.1 (25E253) on bare-metal M5 hardware. The exploit chain starts from an unprivileged local user account, uses only standard system calls, and delivers a full root shell, all while Apple’s Memory Integrity Enforcement (MIE) is active. The team discovered the two underlying bugs on April 25, joined forces two days later, and had a working exploit running by May 1. First Public macOS Kernel Exploit Rather than submitting through the standard bug bounty pipeline, the researchers walked the 55-page printed report directly into Apple Park in Cupertino, a deliberate move to avoid the crowded submission queues seen during events like Pwn2Own. Full technical details will be published only after Apple ships a patch. Memory Integrity Enforcement is Apple’s hardware-assisted memory safety system, built on ARM’s Memory Tagging Extension (MTE) architecture. Introduced as the marquee security feature of the M5 and A19 chips, Apple spent five years, and reportedly billions of dollars, engineering MIE to specifically disrupt kernel memory corruption exploits. According to Apple’s own research, MIE disrupts every known public exploit chain against modern iOS, including the leaked Coruna and Darksword exploit kits. The breakthrough was made possible in part by Anthropic’s Mythos Preview, a powerful AI model that helped identify the two vulnerabilities and assisted throughout the exploit development process. Calif describes the model as capable of generalizing attack patterns across entire vulnerability classes once it has learned a problem type. The bugs were discovered quickly because they fall within known bug classes; however, autonomously bypassing MIE still required significant human expertise, underscoring the power of a human-AI pairing. The five-day development timeline against a protection that took Apple five years to build is being cited as a significant benchmark for AI-assisted offensive security research. Memory corruption remains the most prevalent vulnerability class across all modern platforms, including iOS and macOS. Security mitigations like MIE are designed to raise the cost of exploitation, not make it impossible. This research demonstrates that as AI models grow more capable at surfacing unknown bugs in known classes, even best-in-class hardware mitigations face a narrowing window of effectiveness. Calif frames the exploit as a preview of what it calls the “AI bugmageddon” era a period where small, AI-augmented security teams can achieve what previously required large, well-funded organizations. Apple was built in a world before Mythos Preview; this exploit signals that the calculus of hardware security is already beginning to shift. Apple is reportedly working on a fix. Until a patch is released, systems running macOS 26.4.1 on M5 hardware remain at theoretical risk from local privilege escalation via this unpublished chain. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News VMware Fusion Vulnerability Let Attackers Escalate Privilege to Root Microsoft Patch Tuesday May 2026 – 120 Vulnerabilities Fixed, Including 29 Critical RCE Flaws Critical Next.js Vulnerability Exposes Cloud Credentials, API keys, and Admin Panels Amazon Redshift JDBC Driver Vulnerabilities Enables Remote Code Execution Attacks Google Project Zero Discloses Zero-Click Exploit Chain for Pixel 10 Devices Latest News Cyber Security News JDownloader Website Compromised to Distribute Malicious Windows and Linux Installers Cyber Security News Malicious JPEG Images Could Trigger PHP Memory Safety Vulnerabilities Cyber Security News Critical Linux Kernel Flaw ‘ssh-keysign-pwn’ Exposes SSH Keys and Shadow Passwords Cyber Security News Google Project Zero Discloses Zero-Click Exploit Chain for Pixel 10 Devices Android Android 16 VPN Bypass Lets Malicious Apps Reveal Users Real IP Address
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 17, 2026
    Archived
    May 17, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗