Claude Mythos Cracked Apple's Most Expensive Security Feature in Five Days

Five Years. Several Billion Dollars. Five Days.

Apple's Memory Integrity Enforcement, known as MIE, was the flagship security feature of the M5 and A19 chips. Built on ARM's Memory Tagging Extension specification, it works by attaching a 4-bit tag to every 16-byte memory allocation and enforcing tag matching at the hardware level. The goal was to kill the entire class of memory corruption vulnerabilities in one move.

According to Apple's own research, MIE disrupts every known public exploit chain against modern iOS, including the recently leaked Coruna and Darksword exploit kits. Apple has described this as a system designed to stop memory corruption exploits, the vulnerability class behind many of the most sophisticated attacks on iOS and macOS. The company spent an estimated five years engineering it, with internal investment running into the billions.

Then Calif, a security startup with a handful of researchers, used a preview of Anthropic's Mythos AI model to build a working kernel exploit in five days.

From Unprivileged User to Root Shell

The timeline is blunt. Researcher Bruce Dang found the initial bugs on April 25. Dion Blazakis joined Calif on April 27. Josh Maine built the tooling. By May 1, the team had a working exploit.

The result is a data-only kernel local privilege escalation chain targeting macOS 26.4.1 (25E253). It starts from a standard unprivileged local user account, uses only normal system calls, and ends with a root shell. The chain combines two distinct vulnerabilities with additional techniques designed to pass the memory-tagging checks that MIE enforces, all running on bare-metal M5 hardware with kernel MIE enabled.

Calif describes the discovery as accidental. The team was exploring how AI could help develop exploits that survive under memory tagging, with a primary focus on iOS. The macOS attack path emerged from that work and was not the original target.

The team disclosed the findings directly to Apple. Rather than submitting through the standard bug reporting queue, they drove to Apple Park in Cupertino and handed over the report in person. A 55-page technical writeup is being held back until Apple ships a patch. Notably, macOS Tahoe 26.5 already credits Calif and Anthropic Research for related fixes, suggesting Apple moved quickly after the disclosure.

Calif published a proof-of-concept video showing kernel memory corruption in action, but is withholding the full exploit details until the vulnerability is patched.

What Mythos Actually Did

The distinction between what the AI did and what the humans did matters here. Mythos Preview identified the two memory corruption bug candidates in the macOS kernel. The model is effective at recognizing known bug classes and moving through them quickly. But MIE is a new mitigation, and autonomously bypassing it still required human expertise. Three researchers at Calif designed the bypass technique, chained the bugs, and assembled the working exploit.

Mythos Preview is currently gated through a limited partner program called Project Glasswing. Calif has been using it as part of a broader research series they call MAD Bugs, short for Month of AI-Discovered Bugs, which documents vulnerabilities found with AI assistance across major platforms.

Calif was direct about what the experiment demonstrated: AI accelerated the discovery phase and assisted through development, but the novel work of bypassing a brand-new hardware mitigation still required skilled human researchers. The point was not that AI replaced the team. The point was what becomes possible when the two work together.

What Mac Users Should Know Right Now

The exploit requires local access to the machine. It is not a remote attack, meaning an attacker would need to already be logged in as a standard user to execute it. That limits the immediate threat surface compared to a remote code execution vulnerability.

Apple is aware of the vulnerability. The personal disclosure at Apple Park means the company has had the full report since at least May 14. The appearance of Calif and Anthropic Research in the macOS Tahoe 26.5 credits list suggests a patch may already be in progress. Users on M5 hardware should prioritize installing the next macOS security update when it ships.

The full 55-page technical breakdown will be released publicly after Apple fixes the vulnerability and attack path. Until then, Calif is holding back the specific techniques to avoid giving attackers a roadmap.

The New Math of Security Research

The broader implication of this story is not about one exploit on one chip. It is about compression. Security research that once required months of expert work is being compressed into days. Calif built a working kernel exploit against the most advanced consumer memory protection system ever shipped in under a week, with a team of three researchers and an AI model in preview.

Apple built MIE before Mythos Preview existed. The security landscape it was designed to address has shifted since then. Calif was direct about this framing in their writeup: MIE was never designed to be hacker-proof, but the speed at which AI-assisted teams can work through mitigations is a variable that did not exist when Apple first started designing the system five years ago.

The security community is watching AI-assisted vulnerability research accelerate across every major platform. Calif's MAD Bugs series is one data point. Anthropic's own research has described Mythos as capable of identifying thousands of zero-day vulnerabilities across major operating systems. The question is no longer whether AI will change the economics of offensive security research. It already has. The question is how fast defenders can adapt.

Sources