Claude Mythos helped break Apple's M5 kernel in 5 days — the first public exploit bypassing Apple's MIE hardware mitigation

On May 14, 2026, security firm Calif disclosed the first public macOS kernel memory-corruption exploit on Apple M5 silicon. The exploit chains two bugs into a working local privilege escalation, and — this is the part that matters — it bypasses Apple’s Memory Integrity Enforcement (MIE), the hardware-software mitigation Apple spent roughly five years building.

The catch: Calif credits Claude Mythos Preview, Anthropic’s restricted frontier model for vulnerability research, with helping them go from “no bugs in hand” to a full root shell in 5 days.

The timeline

Per Calif’s own writeup:

• April 25 — Bruce Dang finds the initial bugs
• April 27 — Dion Blazakis joins; Josh Maine builds tooling
• May 1 — Working exploit running on macOS 26.4.1 (build 25E253)
• In-person disclosure at Apple Park in Cupertino
• May 11 — Apple ships macOS Tahoe 26.5 patch (Apple’s CVE-2026-28952 advisory)
• May 14 — Calif publishes the writeup

What CVE-2026-28952 actually is

From Apple’s own advisory:

Impact: An app may be able to cause unexpected system termination Description: An integer overflow was addressed with improved input validation. Credit: Calif.io in collaboration with Claude and Anthropic Research.

It’s one of seven Kernel CVEs Apple patched in the same release (CVE-2026-28908, -28954, -28897, -28951, -28972, -28986, -28987 are the others — some likely from the same Calif/Anthropic chain).

What Claude Mythos is (and isn’t)

This is the first time Anthropic’s “Mythos” preview model has been publicly credited on a real-world exploit. From the Calif writeup and follow-up reporting:

• Mythos is restricted access, not on the public API. It’s positioned by Anthropic as a frontier model with specialised post-training for vulnerability research.
• It’s not autonomous. Calif explicitly says human researchers were required to assemble the final bypass — Mythos helped identify candidate vulnerabilities and accelerated exploit development, but didn’t deliver a finished exploit on its own.
• The pitch from Calif: “This work is a glimpse of what is coming.”

In other words: this is a human-AI hybrid attack, not “AI hacked Apple.” The distinction matters, because the bigger story isn’t “AI is hacking things on its own” — it’s the speed multiplier. Five days, three humans, plus a model. Compare that to the months a similar M-series exploit chain normally takes from disclosure to writeup.

Why MIE getting bypassed is the actual headline

Memory Integrity Enforcement was Apple’s answer to memory-corruption exploits — the entire class of bugs that has powered every macOS / iOS jailbreak since 2007. Apple spent ~5 years on the hardware/software co-design. MIE was supposed to make memory-corruption exploits on M-series silicon structurally impossible, not just “very hard.”

Calif’s chain proves MIE is bypassable in 5 days with the right tooling. The 55-page technical writeup (published only after Apple shipped the patch) is the longest public writeup ever published on M-series kernel exploitation. Practical takeaway for anyone shipping software on Apple hardware: hardware mitigations slow attackers but don’t replace timely patching.

Why builders should care

This isn’t a story about Apple losing — they patched in under three weeks, credit where it’s due. It’s a story about AI-augmented offensive security being real, not hypothetical, in 2026:

1. AI is now a force multiplier for vulnerability research, on the offense side. If you’re shipping software with security-sensitive code paths, you should assume adversaries with Mythos-class access can find bugs faster than you can audit them.
2. Restricted-access frontier models exist. Mythos isn’t on the public Claude API, but it’s clear Anthropic (and likely OpenAI, Google) have stronger-than-public-API models behind closed doors for specific use cases. This pairs with what OpenAI’s internal model disproving the Erdős conjecture showed us a week ago: the public API surface lags what the labs run internally.
3. Automated patching is no longer optional. Cyber Unit’s writeup frames the operational consequence: if attackers can ship working exploits in 5 days using AI, your patch latency budget shrinks accordingly. macOS Tahoe 26.5 ships May 11 — businesses with delayed-update policies are running unpatched for some window after that.

For comparison-shopping the public-API Claude models that don’t have Mythos-tier vulnerability research training, see our Gemini 3.5 Flash vs Claude Haiku 4.5 walkthrough — these are the tier you actually deploy against, while Mythos sits in Anthropic’s research silo.

What’s still unclear

• How many of the other 6 Kernel CVEs in this patch came from the same chain? Apple only credits Calif/Anthropic by name on one (28952), but the timing strongly suggests overlap.
• Will Mythos ever ship on a public API? Anthropic hasn’t committed publicly. Right now access is by-arrangement only.
• What does “Mythos” cost / scale to? No information.

Sources

• Calif blog — First public macOS kernel memory corruption exploit on Apple M5 — Calif’s own 55-page writeup landing page
• Apple — About the security content of macOS Tahoe 26.5 — official CVE-2026-28952 advisory with credits
• 9to5Mac — Calif team details how Anthropic Mythos helped build a working macOS exploit in five days
• TechRadar — ‘This work is a glimpse of what is coming’
• Decrypt — Apple Mac M5 System Exploited With Anthropic’s Claude Mythos AI
• Hacker News discussion (120↑)