Security researchers at a small Palo Alto firm did what seemed improbable. They took an early, unreleased version of Anthropic’s powerful AI model and used it to expose weaknesses in one of the computing world’s most guarded platforms. The result? A working privilege escalation exploit on Apple’s latest M5 silicon. All in five days.
The team from Calif didn’t rely on the AI alone. Human expertise guided the process. But the speed stunned them. Bruce Dang spotted the bugs on April 25. Dion Blazakis joined two days later. By May 1, Josh Maine had built the tooling. A functional chain emerged. From an unprivileged local user account straight to root shell. On bare-metal M5 hardware. With Apple’s newest memory protections fully active.
Memory Protections Meet Their Match
Apple poured five years and, by some estimates, billions of dollars into Memory Integrity Enforcement. This hardware-assisted system, built on ARM’s Memory Tagging Extension, tags every 16-byte slice of memory. It checks pointers against those tags at the hardware level. The goal was clear. Kill off entire classes of memory corruption bugs that have powered exploits for years.
MIE disrupted every known public exploit chain on modern iOS platforms, including sophisticated kits like Coruna and Darksword. Defenders thought they had raised the bar beyond reach for most attackers. Yet Calif’s work showed otherwise. Their data-only kernel local privilege escalation chain survived MIE. It combined two vulnerabilities with several techniques. All through standard system calls. No exotic primitives required.
The researchers delivered a 55-page report to Apple in person at Apple Park. They walked the halls of Cupertino to hand it over. Apple is now reviewing the findings. Full technical details, including the exact bypass methods, will come only after patches ship. The team expects fixes within a year. They even budgeted domain registration fees accordingly.
Anthropic built Mythos Preview as a specialized tool for cybersecurity tasks. So capable at spotting flaws that the company limited its release. Select partners and researchers gained access. Apple was among them through a cybersecurity initiative. The model excels at generalizing from known bug classes. Once trained on patterns, it applies them broadly. Calif’s Khanh, who authored their public post, put it plainly. “Mythos Preview is powerful: once it has learned how to attack a class of problems, it generalizes to nearly any problem in that class.”
But the AI didn’t write the final exploit code autonomously. It helped identify the bugs. It assisted throughout development. Human insight proved essential for bypassing the novel MIE mitigation. “MIE is a new best-in-class mitigation, so autonomously bypassing it can be tricky. This is where human expertise comes in,” the team explained in their blog post.
The discovery happened during tests in April. Researchers probed an early version of the model. They watched it surface issues in macOS that had evaded traditional methods. The WSJ first broke the broader story, detailing how the techniques allowed memory corruption and deeper device access that should stay locked down (Wall Street Journal).
Calif framed the work as part of their “Month of AI-Discovered Bugs.” The message lands clearly. AI systems now hunt vulnerabilities at scale. Some will prove potent enough to defeat even advanced defenses. “This work is a glimpse of what is coming,” they wrote. “Apple built MIE in a world before Mythos Preview. We’re about to learn how the best mitigation technology on Earth holds up during the first AI bugmageddon.”
Landing a kernel memory corruption exploit against these protections in roughly a week carries weight. “It says something strong about this pairing” of top models with expert researchers, the team noted. Small outfits can now achieve what once demanded large organizations. The power balance shifts. Defenders face a harder task. They must anticipate attacks that arrive faster and from unexpected directions.
Recent coverage echoes the concern. 9to5Mac highlighted how Mythos Preview bypassed a five-year Apple security push in five days, drawing directly from Calif’s disclosures (9to5Mac). Engadget stressed that while humans drove the exploit design, advanced AI can surface novel attack paths bad actors might exploit (Engadget).
Tom’s Hardware called it the first Apple M5 memory exploit to grant root access, bypassing MIE on macOS 26.4.1 (Tom’s Hardware). Mashable questioned whether Mythos represents a genuine security threat or mere demonstration, noting Anthropic withheld broader release precisely because of its flaw-finding strength (Mashable).
Apple has not commented publicly on timelines for a patch. The vulnerabilities sit under review. Yet the episode reveals a larger truth. Hardware protections, no matter how sophisticated, assume certain attacker limitations. Those limits erode when AI accelerates discovery and chaining. The model didn’t replace the researchers. It amplified them. Three people. Five days. A kernel compromise on hardware engineered over half a decade to prevent exactly this.
Security teams across the industry now confront the same reality. Bug hunting scales. Attack development compresses. The next wave of vulnerabilities may not come from nation-states alone. Small teams armed with capable models can punch above their weight. Calif proved the point. Their exploit wasn’t theoretical. Video of it in action circulates with their post. From user to root. Memory tags sidestepped. Protections circumvented.
And the conversation has only begun. Researchers continue testing what these systems can do. Anthropic keeps Mythos under tight control for now. But capabilities like this tend to spread. Either through controlled releases or eventual leaks. Apple will patch this chain. The broader question remains. How do you defend systems when the tools used to attack them improve faster than the defenses can adapt?
The Calif team summed up their motivation simply. They wanted to test the possible when best models meet experts. The outcome suggests the possible just expanded. Dramatically. MacOS still ranks among the toughest targets. That reputation just took a hit. Not from a massive hacking group. But from a handful of researchers and an AI that spotted patterns others missed.