A three-person security team built the first public Apple M5 exploit in roughly five days, going from an ordinary unprivileged account to a full root shell on macOS while Apple’s newest hardware defense was switched on. They did it with help from Claude Mythos Preview, Anthropic’s gated frontier model. The target was Memory Integrity Enforcement (MIE), a defense Apple spent about five years, and by the researchers’ own estimate billions of dollars, building.
That timeline is the headline, and it deserves scrutiny rather than panic. A lot of the viral framing around this story is wrong. Mythos did not autonomously crack Apple’s defenses, MIE was not “broken,” and the widely shared $35,000 und 57,000x figures do not come from the researchers or Anthropic. This article covers what the Apple M5 exploit actually is, what Claude Mythos did and did not do, and what Apple has said about it.
The Key Takeaways
- The Apple M5 exploit is the first public macOS kernel privilege-escalation chain on M5 silicon, taking an unprivileged user to root auf macOS 26.4.1 (build 25E253) with kernel MIE enabled.
- Built by Calif researchers Bruce Dang, Dion Blazakis, and Josh Maine in about five days (bugs found April 25, working exploit by May 1, 2026).
- Claude Mythos assisted, it did not act alone. It surfaced the bugs fast because they belong to known classes; bypassing MIE still took heavy human expertise.
- MIE was circumvented, not broken. The chain is data-only, so it sidesteps the memory-corruption class MIE is designed to catch.
- The viral $35,000 cost, hard $2 billion Apple figure, 57,000x ratio and “national defense” quote are not corroborated by primary reporting.
What the Apple M5 Exploit Actually Is
The exploit is a data-only kernel local privilege escalation chain targeting macOS 26.4.1 (25E253) on bare-metal Apple M5 hardware. It starts from an unprivileged local user, uses only normal system calls, and ends with a root shell. According to 9to5Mac’s breakdown of the Calif disclosure, the chain links two separate bugs and a handful of techniques to corrupt memory state and reach parts of the system that should be off-limits.
This is the first publicly disclosed macOS kernel memory-corruption exploit on M5 silicon, and that is the part that matters. Apple’s Memory Integrity Enforcement is a hardware-assisted memory-safety system built around ARM’s Memory Tagging Extension (MTE), designed to neutralize the memory-corruption bug class that underpins most modern iOS and macOS exploit chains. Apple built MIE to disrupt every public exploit chain against modern iOS, including the recently leaked Coruna and Darksword exploit kits.
Here is the crucial nuance the social-media version skips. MIE worked as designed. Per AppleInsider’s reporting, the chain “survived MIE protections on bare-metal M5 hardware with kernel MIE enabled,” because it is a data-only attack that avoids the corruption primitives MIE detects rather than defeating the mitigation itself. The defense did its job; the researchers found a path that does not need the door MIE locks.
The Apple M5 Exploit Timeline
The speed is real and well documented. The bugs were found on April 25, 2026; Dion Blazakis joined Calif on April 27; Josh Maine built the tooling; and a working exploit was running by May 1. That is the roughly five-day window everyone is quoting, and it is accurate.
| Date (2026) | Milestone |
|---|---|
| April 25 | Bruce Dang identifies the two underlying bugs |
| April 27 | Dion Blazakis joins Calif; team forms |
| Late April | Josh Maine builds exploitation tooling |
| May 1 | Working root exploit running on M5 with MIE enabled |
| Mid-May | 55-page report hand-delivered to Apple Park, Cupertino |
| May 14 | Public summary published; full technical write-up embargoed until Apple patches |
The team walked a laser-printed 55-page report directly into Apple Park rather than filing it through the usual queue, a deliberate choice to avoid the submission flood seen around events like Pwn2Own. The full technical breakdown stays under embargo until Apple ships a fix.
What Claude Mythos Did, and What It Did Not
This is where the viral version falls apart. The popular framing says Mythos “found a side-channel” on its own. The researchers say something more measured. Mythos surfaced the bugs quickly because they belong to known bug classes, and it is strong at generalizing attack patterns across an entire vulnerability class once it has learned the problem type. Bypassing a brand-new, best-in-class mitigation like MIE, though, still required significant human expertise.
The Calif team described the result as a human-AI pairing, not an autonomous hack. TechRadar quoted the team calling the work “a glimpse of what’s coming,” while crediting Mythos with helping link the bugs and techniques rather than producing the chain end to end. Three experienced exploit developers did the hard part; the model compressed the timeline.
For context on the tool itself, Claude Mythos Preview is Anthropic’s most capable model to date, gated under Project Glasswing and not publicly available. Anthropic says it has uncovered thousands of zero-day vulnerabilities across every major operating system and browser, including a now-patched 27-year-old OpenBSD bug and a 16-year-old FFmpeg flaw. Anthropic has chosen not to release the model generally. We cover the model, the leak, and the defensive rationale in depth in our explainer on what Claude Mythos and Project Glasswing actually are.
The Numbers That Are Wrong
Several figures went viral with this story and do not survive a check against primary reporting. Worth correcting, because they are the entire reason the story sounds apocalyptic.
| Viral claim | What the reporting actually supports |
|---|---|
| $35,000 in Mythos API time | Not stated by Calif or Anthropic. No dollar cost for this exploit has been published; the figure traces to social-media commentary |
| Apple spent $2 billion | Sources say “reportedly billions” over five years; no confirmed $2B figure |
| A 57,000x cost collapse | Author’s own arithmetic built on the two unverified figures above; not a sourced metric |
| Mythos autonomously found a side-channel | Researchers stress a human-AI pairing; bypassing MIE needed heavy human work |
| Anthropic red team called it “national defense” | Not found verbatim in primary reporting; Anthropic frames Glasswing as a defensive head-start before hostile actors get models this capable |
Strip out the bad numbers and the story still holds.
An experienced team plus a frontier model produced a first-of-its-kind M5 exploit in days. Exploit brokers have historically paid seven figures for comparable macOS and iOS privilege-escalation chains, so the point about offense getting cheaper and faster stands, even without the made-up ratio.
What Apple Has Said
Apple’s public response has been brief. The company told reporters that “security is our top priority, and we take reports of potential vulnerabilities very seriously,” and it has not yet confirmed whether the specific bugs are patched. Because the exploit was disclosed responsibly and in person, the full technical detail stays embargoed until a fix ships, which limits real-world risk in the meantime.
For everyday Mac users, there is no public proof-of-concept, the chain needs local access to begin with, and a patch is the expected outcome of this disclosure. If you want the broader picture on where Apple’s platform security is heading, our WWDC 2026 preview tracks the roadmap, and our guide to open-source AI models worth running on an M5 Mac covers what the M5 is actually good at day to day.
What This Means for You
You cannot use Claude Mythos; it is restricted to a small group of vetted partners, including AWS, Apple, Google, Microsoft and CrowdStrike. The realistic takeaway is not “AI broke Apple” but “frontier models compress expert work,” and that cuts both ways for defenders and attackers. The same capability that found a 27-year-old OpenBSD bug is being pointed at critical software before bad actors get equivalent tools.
If you want hands-on access to the strongest Claude models you actually can use, alongside ChatGPT, Gemini, Grok and DeepSeek under one subscription, Fello AI bundles them for $9.99/month; you can see how it works on the Fello AI getting started page. For the full picture on the model behind this story, including the leak and Anthropic’s safety framing, read our full Claude Mythos and Project Glasswing explainer, and for related agent capabilities see our breakdown of Claude’s new agent memory.
FAQ
Did Claude Mythos hack Apple by itself?
No. Mythos helped surface the bugs and generalize attack patterns, but three experienced Calif researchers did the exploit development. The team explicitly described it as a human-AI pairing, not an autonomous hack.
Was Apple’s Memory Integrity Enforcement broken?
No. MIE worked as designed. The exploit is a data-only chain that sidesteps the memory-corruption class MIE catches, so it circumvented the protection rather than defeating it.
Is the $35,000 and 57,000x figure real?
Those numbers come from social-media commentary, not Calif or Anthropic. Primary reporting says Apple spent “reportedly billions” over five years; the specific cost and ratio claims are not corroborated.
Can I use Claude Mythos?
No. It is not publicly available and Anthropic has not released it generally. Access is limited to a small group of vetted partners under Project Glasswing.
Is my Mac at risk right now?
Low immediate risk. The exploit needs local access, was disclosed responsibly, and the full technical detail is embargoed until Apple patches the underlying bugs.
