A three-person team at Palo Alto-based cybersecurity firm Calif used Anthropic’s Mythos Preview agent to discover two previously unknown macOS vulnerabilities, then chained them into a working privilege escalation exploit on Apple’s M5 silicon in five days. The exploit bypasses Memory Integrity Enforcement (MIE), the hardware-assisted memory safety system Apple spent five years building into its newest chips.
What Calif Found
Bruce Dang discovered the bugs on April 25. Dion Blazakis joined the effort on April 27. Josh Maine built the tooling. By May 1, the team had a working exploit, according to Calif’s blog post.
The attack is a data-only kernel local privilege escalation chain targeting macOS 26.4.1. It starts from an unprivileged local user, uses only normal system calls, and ends with a root shell, as 9to5Mac reported. The team tested it on bare-metal M5 hardware with kernel MIE enabled.
MIE is Apple’s extension of Arm’s Memory Tagging Extension (MTE), designed to detect and block memory corruption attacks at the hardware level. Apple introduced it last year across iPhone 17, iPhone Air, and M5 Macs. According to Apple’s own research, MIE disrupts every previously known public exploit chain against modern iOS, including the leaked Coruna and Darksword exploit kits.
Calif’s exploit is the first public kernel memory corruption attack to bypass it.
How Mythos Fit Into the Workflow
Mythos Preview identified the two vulnerabilities quickly because they belonged to known bug classes, according to Calif’s technical writeup. The model generalizes well once it learns how to attack a class of problems: “Mythos discovered the bugs quickly because they belong to known bug classes.”
The bypass itself required human expertise. MIE is a novel mitigation, and autonomously circumventing it “can be tricky,” the team wrote. Calif CEO Thai Dong told The Wall Street Journal the attack “couldn’t have been pulled off by Mythos alone and leveraged the very human cybersecurity expertise of some of Calif’s hackers.”
The distinction matters. Mythos handled the pattern-matching across known vulnerability classes. Humans handled the novel architectural reasoning needed to turn those bugs into a chain that defeats a mitigation nobody had publicly broken before. As Calif framed it: “Part of our motivation was to test what’s possible when the best models are paired with experts. Landing a kernel memory corruption exploit against the best protections in a week is noteworthy, and says something strong about this pairing.”
Apple’s Response
The team traveled to Apple Park in Cupertino to deliver a 55-page technical report directly to Apple’s security team, according to Engadget. An Apple spokesperson told the WSJ: “Security is our top priority, and we take reports of potential vulnerabilities very seriously.”
Calif CEO Dong told Cybersecurity News he believes “the bugs will likely be fixed pretty quickly.” Full technical details will remain under wraps until Apple ships patches.
The Acceleration Pattern
This is not an isolated result. Mozilla previously patched 271 Firefox vulnerabilities found through Mythos via Anthropic’s Project Glasswing initiative, which gives roughly 40 organizations controlled access to the model for defensive research with up to $100 million in usage credits. Mythos also reportedly uncovered a 27-year-old OpenBSD bug and Linux privilege escalation vulnerabilities, according to Cybersecurity News.
The throughput compression is the headline for security teams running their own agent-assisted workflows. Five years of Apple hardening, broken in five days by three researchers with an AI agent handling vulnerability discovery while humans handled the creative exploitation work. The question for every organization running defensive security programs: if a three-person team can do this with controlled Mythos access, what happens when equivalent capability shows up in open-weight models without access restrictions?