Anthropic's Mythos Cracked macOS M5 Security in 5 Days

Security firm Calif published the first public macOS kernel memory corruption exploit targeting Apple M5 silicon on May 14, 2026, revealing that Anthropic's Mythos Preview helped three researchers crack Apple's most advanced security system in roughly five days. The exploit chain escalates an unprivileged local user to a root shell on macOS 26.4.1 using only standard system calls, bypassing Memory Integrity Enforcement, a hardware-level defense Apple spent five years and a reported multi-billion-dollar budget engineering.

What Happened

Researchers Bruce Dang, Dion Blazakis, and Josh Maine of Palo Alto-based Calif discovered two vulnerabilities in macOS on April 25. By May 1, they had chained those bugs together with additional techniques to gain root-level kernel access on bare-metal M5 hardware: a privilege level that grants full control over the machine. Total development time from first bug discovery to working exploit: five days.

The exploit targets macOS 26.4.1 (build 25E253) and runs from an unprivileged local account using only normal system calls. No jailbreak tools or elevated permissions are required to launch it. Blazakis described the successful attack path as "an accidental discovery": the team was broadly researching MIE weaknesses and found a viable attack path along the way.

Before going public, the Calif team visited Apple Park in Cupertino and handed Apple's security engineers a 55-page technical report. Specific bug details remain embargoed until Apple ships a patch.

What Memory Integrity Enforcement Actually Does

Memory Integrity Enforcement is Apple's hardware-assisted defense against the vulnerability class behind the most sophisticated iOS and macOS attacks. Built on ARM's Memory Tagging Extension, MIE assigns cryptographic tags to every memory region and validates them on every access. The design goal is to make memory corruption exploits practically impossible even when an underlying software bug exists.

Apple invested five years in MIE. The company claims it disrupts every known public iOS exploit chain, including the Coruna and Darksword kits used in advanced persistent threat operations against high-value targets. Getting around MIE required chaining two vulnerabilities via a data-only attack path, one that manipulates data values in kernel memory rather than overwriting code pointers, which MIE's tag checking cannot detect.

That distinction matters. Previous mitigations focused on preventing code-pointer overwrites. Data-only attacks leave code pointers untouched and manipulate only data values to influence execution flow, making them inherently harder for hardware tagging systems to catch.

How Mythos Preview Compressed the Research Timeline

Anthropic's Mythos Preview is the same model powering Project Glasswing, Anthropic's $100M cybersecurity defense initiative launched in April 2026. The model is not publicly available and is provided only to vetted organizations for defensive security work.

In the Calif engagement, Mythos Preview helped at two stages. First, it rapidly identified which bug classes were likely present in the code paths the team was auditing, dramatically shortening the reconnaissance phase. Second, once bugs were confirmed, it assisted in reasoning through exploit development strategy and anticipating which techniques would successfully chain the vulnerabilities.

The researchers were explicit that Mythos did not autonomously build the exploit. Human judgment drove every critical decision, including the choice to pursue a data-only attack path. The team's summary describes Mythos as capable of generalizing "to nearly any problem in that class" once a relevant vulnerability pattern is identified, but human researchers remained in the loop throughout. Mythos compressed the timeline; it did not replace the researchers.

Project Glasswing and the Defensive Context

The macOS exploit disclosure arrives three weeks after Anthropic's first major Glasswing result: Mythos Preview found 271 vulnerabilities in Firefox 150 in a single evaluation pass. Mozilla's own writeup describes 180 of those bugs as sec-high severity and says Mythos accomplished the equivalent of a year of manual pentesting in under three weeks.

Glasswing partners include Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Anthropic has committed $100M in Mythos usage credits and $4M in direct donations to open-source security organizations under the program. The explicit mission is defensive: find vulnerabilities before attackers do and get patches shipped faster.

But the Calif research makes the dual-use nature concrete. The same model used defensively in Project Glasswing helped build a working exploit in five days against a hardened target that previously would have required months of expert work. The team's conclusion on their blog: "This work is a glimpse of what is coming."

What This Means for Mac Creators

The exploit is a local privilege escalation, not remote code execution. An attacker needs an existing unprivileged account on the target machine to use it. This is not a drive-by attack triggered by visiting a website or opening a file. For creators working on personal machines they control exclusively, practical risk is low today.

Shared environments are a different calculation. Recording studios, production houses, and coworking labs where multiple users share M5 Mac hardware (Mac Studio, Mac Pro) should treat this as high priority. A low-privilege account on a shared machine can escalate to root, granting access to all user data, installed software, credentials stored in Keychain, and system-level controls.

Three immediate steps for Mac creators:

1. Enable automatic security updates. Go to System Settings, then General, then Software Update, and turn on Automatic Updates. Apple will ship a patch; the fix will arrive as a security response or point release to macOS 26.
2. Audit shared machine accounts. If you manage a studio environment, review who holds local accounts on M5 machines. Remove unused accounts and restrict privileges to what each user actually needs.
3. Follow the patch advisory. Apple does not pre-announce patch timelines, but the 55-page technical briefing delivered directly to Apple's team suggests a fix is in active development. Check coverage for patch release announcements over the coming weeks.

Frequently Asked Questions

Is my Mac at risk right now?

Only if someone already has a local unprivileged account on your machine. This is not a remote exploit. If you are the only user on your Mac and you have not granted accounts to others, your exposure is minimal until Apple ships the patch.

Does this affect M1, M2, and M3 Macs as well?

The research specifically targets M5 silicon running macOS 26.4.1. Calif has not confirmed whether earlier Apple Silicon chips are vulnerable to the same attack chain. Apple's investigation ahead of the patch will likely cover the full lineup.

What is Anthropic Mythos Preview and can I access it?

Mythos Preview is Anthropic's most capable model for coding and agentic tasks, currently restricted to cybersecurity research through Project Glasswing. It is not publicly available. Anthropic has stated it has no plans for a general release and intends Mythos to remain a vetted-organization-only tool with appropriate guardrails.

How is this different from previous macOS exploits?

This is the first publicly documented kernel memory corruption exploit that successfully bypasses Memory Integrity Enforcement on M5 hardware. The key innovation is the data-only attack path, which sidesteps MIE's cryptographic tag checking by never touching code pointers. Previous known exploit chains against Apple Silicon had not defeated MIE.

When will Apple release a patch?

No timeline has been announced. Apple confirmed receipt of the researchers' 55-page report and stated "security is our top priority." The company met with the Calif team at Apple Park. Apple typically ships security response updates outside its regular macOS release cadence when vulnerabilities are actively under investigation.

Does this mean AI will make exploits routine?

The Calif team's published conclusion is unambiguous: AI is compressing security research timelines for defenders and attackers alike. Compressing a five-year-hardened target's exploit development from months to five days represents a step change. Organizations relying on the assumption that exploitation is too time-intensive to be practical face increased exposure as these timelines continue to shrink.