First Apple M5 memory exploit discovered using Anthropic AI, gives root access on MacOS

At a glance:

• First Apple M5 memory exploit discovered using Anthropic AI, granting root access on macOS.
• The vulnerability bypasses Apple's Memory Integrity Enforcement (MIE) on M5 and A19 chips.
• Discovered by Calif as part of the Month of AI-Discovered Bugs, disclosed to Apple in advance.

What happened

Security researchers have uncovered a critical vulnerability affecting Apple's M5 chip and macOS, marking the first known exploit that bypasses the company's Memory Integrity Enforcement (MIE) feature. The flaw, discovered by the research team Calif, allows a standard user to execute a single command and gain root-level access to the system. This means an attacker with local access could potentially take full control of a Mac machine. The vulnerability was tested on an Apple M5 machine running macOS 26.4.1 and is part of a series of security findings disclosed by Calif under their "Month of AI-Discovered Bugs" initiative. The team used Anthropic's Mythos Preview, an AI tool, to assist in the discovery of this and other vulnerabilities.

The disclosure process was handled responsibly, with Calif informing Apple of the issue in advance, including an in-person meeting. This proactive approach contrasts with some recent high-profile zero-day exploits that left system administrators scrambling for patches. As of now, Calif believes they are the only group publicly disclosing this specific M5 memory exploit, though they acknowledge that other researchers might have independently discovered it but not yet shared their findings.

How the exploit works

The exploit targets Apple's Memory Integrity Enforcement (MIE), a hardware-level security feature designed to protect against common memory corruption attacks such as buffer overflows and use-after-free vulnerabilities. MIE is built upon ARM's Memory Tagging Extension (MTE) and is implemented in M5 and A19 chips. It works by associating a 4-bit tag with every 16-byte slice of memory, ensuring that memory operations are only performed on data that was originally intended to be accessed. This enforcement occurs in a hypervisor-like configuration at the hardware level, providing robust protection with minimal performance overhead—reportedly just 3% memory wastage.

Despite MIE's sophisticated design, the discovered exploit manages to bypass these protections. While the technical details are still emerging, the vulnerability is described as simple in practice: a single command executed by a standard user can escalate privileges to root. The exploit chain effectively circumvents the memory tagging checks, allowing unauthorized memory access. This breakthrough highlights the evolving cat-and-mouse game in cybersecurity, where even advanced hardware safeguards can be compromised by novel attack vectors.

Why it matters

The practical impact of this exploit is currently limited because Apple's Mac computers are rarely used as servers, which are more common targets for remote attacks. However, the vulnerability remains concerning due to its ease of exploitation. Attackers could trick a user into running the malicious command, and once root access is achieved, the malware can be difficult to detect and remove. This scenario poses a significant risk in environments where Macs handle sensitive data or are part of a larger network.

This discovery is part of a broader trend in security research, where AI tools like Anthropic's Mythos are accelerating the identification of vulnerabilities. The "Month of AI-Discovered Bugs" series, which includes this Apple exploit, underscores the growing role of artificial intelligence in both offensive and defensive security. As AI-assisted research becomes more prevalent, we can expect to see more complex vulnerabilities uncovered, pushing companies to continuously strengthen their security measures.