Skip to main content
TechnologyMay 15, 2026· 4 min read

Mythos Preview by Anthropic Contributes to Exposing Vulnerabilities in macOS Kernel on M5

Apple introduced Memory Integrity Enforcement as one of the standout features of the M5 and A19 chips: at launch, the company explained that it was a hardware-assisted protection system against memory corruption, the class of vulnerabilities underlying the most sophisticated compromises on iOS and macOS. The design work of Memory Integrity Enforcement took five years. In May 2026, the security startup Calif demonstrated that this protection can be bypassed, with a working exploit completed in five days.

The team personally delivered a 55-page technical report to Apple Park in Cupertino on May 14, preferring physical delivery to avoid getting lost, as stated in their blog, in the submission flow of the latest Pwn2Own. Apple confirmed that it is reviewing and validating the results, but did not indicate whether a patch is already in preparation.

MIE: Five Years of Hardware Development

Memory Integrity Enforcement is built on Memory Tagging Extension (MTE), an ARM specification from 2019 that assigns a secret tag to each memory allocation: a subsequent access with a non-matching tag causes an immediate crash, making it statistically much more expensive to exploit memory corruption bugs. Apple extended and strengthened MTE by developing MIE over five years, bringing it first to the iPhone 17 and iPhone Air, and later with the M5 chip to MacBooks as well. It is important to emphasize that until this demonstration, MIE had stopped every public exploit chain against modern iOS, including the recently emerged Coruna and Darksword kits: no kernel memory corruption exploit had ever surpassed this defense on M5 hardware.

The Exploit: Two Vulnerabilities, Five Days

The attack from Calif is a data-only kernel local privilege escalation chain (a chain that does not inject arbitrary code but manipulates existing data to alter system control) targeting macOS 26.4.1 on bare-metal M5 hardware with the MIE kernel enabled. The starting point is a local privileged account: the chain concatenates two distinct vulnerabilities using various additional techniques to corrupt kernel memory, access normally inaccessible areas, and conclude with a root shell, achieved using only standard system calls. It is the first public exploit of this kind to survive on MIE-enabled hardware, according to the team's statements in their blog.

The development timeline is quite short: Bruce Dang identified the bugs on April 25, Dion Blazakis joined the project on April 27, and Josh Maine developed the tooling that led to a working exploit by May 1. The attack path on macOS, as the team explicitly writes in their blog, was an accidental discovery since Calif's original target was iOS.

The Role of Mythos Preview

As obtained by the researchers at Calif, the involvement of Mythos Preview by Anthropic helped identify the bugs and assisted throughout the entire development phase of the exploit. The model, according to Calif's statement, quickly generalizes a known attack class to any issue of that same class: the bugs identified belong to already documented classes, which is why Mythos found them in a short time. However, bypassing MIE independently is more complex, and it is here that human expertise remained indispensable. Thai Duong, CEO of Calif, stated to the Wall Street Journal that the attack would not have been possible without the human researchers working parallel to the AI.

It should be noted that Mythos Preview is not a publicly accessible model. Anthropic released it in April exclusively to selected partners through Project Glasswing, a defensive security initiative aimed at technology companies, banks, and research institutions. Apple has joined the program. Mozilla reported that the model identified 271 vulnerabilities in Firefox during internal testing. The UK's AI Security Institute verified that Mythos Preview can independently complete complex multi-stage cyberattack simulations. Anthropic had already publicly warned that the model's capabilities in finding exploits were such that a public release would pose a risk to global digital infrastructure.

Implications

The picture that emerges from this situation, as well as from other instances where an AI model has been functional in discovering previously unnoticed vulnerabilities, is that there is a drastic compression of the development cycle for advanced exploits when a frontier model is paired with specialized researchers. The fact that a startup with three engineers took five days to build the first public exploit on MIE is already, in itself, a data point that reformulates assumptions about how quickly an exploitable vulnerability can be developed. It should be emphasized that MIE had been built in an era when this type of operational approach did not exist as a concrete factor. Nonetheless, it is important to highlight that the model did not act alone and that the vector requires non-privileged local access as a prerequisite. The disclosure of the vulnerability has occurred responsibly before it could be exploited by hostile actors.

Meta Releases Smart Glasses with Display for Third-Party Apps: Games and Micro-Apps ArriveNinja CRISPi, so-called air fryers, changes everything: glass, portable, here on sale on Amazon