Apple's M5 chip's MIE (Memory Invasion Error) was bypassed using AI-assisted kernel attack code, marking the first publicly disclosed instance of memory corruption protection being overcome.

On May 14, 2026, security company Calif announced that it had created memory corruption attack code for the macOS kernel on M5-powered Macs with Apple's

First public macOS kernel memory corruption exploit on Apple M5
https://blog.calif.io/p/first-public-kernel-memory-corruption

MIE is a security mechanism that combines Apple Silicon's hardware capabilities with OS-level defenses to make attacks exploiting memory corruption more difficult. According to Apple, MIE is the result of approximately five years of design and development, and aims to constantly protect critical attack surfaces, including the kernel, by combining EMTE (Enhanced Memory Tagging Extension), an enhanced version of MTE (Memory Tagging Extension), a secure memory allocator, and a mechanism to protect tag information.

Memory corruption is a problem where software reads or writes to memory areas it shouldn't be accessing. Attackers can use memory corruption as a foothold to gain privileges they wouldn't normally have or to affect the kernel, the core of the operating system. MIE assigns a secret value called a 'tag' to each memory area, and the hardware checks if the tag matches when accessing it. If the tags don't match, the access is stopped and the process is terminated.

Apple explains that the purpose of MIE is to significantly increase the development and maintenance costs of sophisticated memory corruption attack chains used by financially motivated spyware and other attackers. According to Apple's assessment, MIE will greatly reduce the means available to attackers against the highly sophisticated attack chains observed in the past three years.

On Macs equipped with the M5 chip and with MIE enabled, security firm Calif has successfully created memory corruption attack code for the macOS kernel. Calif claims to have directly shared its vulnerability investigation report with Apple and states that this is the 'first publicly released macOS kernel memory corruption attack code' that has bypassed MIE on the M5.

According to Calif, the attack code is a 'data-only kernel-local privilege escalation chain' targeting macOS 26.4.1(25E253). Local privilege escalation refers to an attack that gains higher privileges from a state where a program can already be run as a normal user on a Mac. In this attack chain, only normal system calls were used, and it reached a root shell from a normal user. A root shell means an operating environment on a Mac with very strong administrator privileges.

Calif explains that the attack chain utilized two vulnerabilities and multiple techniques, targeting a real M5 hardware device with kernel MIE enabled. Specific technical details will be released in a 55-page report after Apple fixes the vulnerabilities and attack vectors.

The attack code was created using Anthropic's non-public AI model, 'Claude Mythos Preview.' According to Calif, the vulnerability was discovered on April 25, 2026, and working attack code was completed by May 1st.

Anthropic develops 'Claude Mythos Preview,' an AI with extremely high cyberattack capabilities, and has also launched 'Project Glasswing,' which will provide a preview version to Microsoft, Apple, and others - GIGAZINE

However, Calif did not claim that they 'created the attack chain using only AI.' According to Calif, while Claude Mythos Preview helped identify vulnerabilities and develop attack code, MIE is a new, advanced defense mechanism, and human expertise was crucial. Claude Mythos Preview quickly identified issues belonging to a known vulnerability class, and human researchers then worked to circumvent the advanced defenses.

The important point of this announcement is not that MIE is 'broken,' but rather that even with sophisticated defenses like MIE, an attack chain can still be established if the right combination of vulnerabilities, experts, and AI assistance are in place. Calif states that MIE is not meant to completely shut out hackers, and that it can be bypassed if the right vulnerabilities are present.

Calif states that AI systems are increasingly discovering vulnerabilities, and that it is inevitable that vulnerabilities that can bypass advanced defenses like MIE will be found. Calif also explains that this attack code is an example of how top-level defense technologies will withstand the 'era of AI-driven vulnerability discovery.'