Calif security researchers, aided by AI model Mythos Preview, built a working macOS kernel privilege escalation exploit on M5 silicon bypassing MIE in five days.
Key Takeaways
MIE (Memory Integrity Enforcement), Apple’s hardware-assisted MTE-based mitigation introduced with M5/A19, was bypassed via a data-only kernel local privilege escalation chain.
The exploit chain targets macOS 26.4.1 (25E253), starts from an unprivileged local user using only normal syscalls, and ends with a root shell on bare-metal M5.
Two vulnerabilities were found April 25-27 by Bruce Dang and Dion Blazakis; Josh Maine built tooling; working exploit landed May 1st – five days total.
The attack is data-only, meaning it avoids triggering MTE tag checks rather than defeating the hardware mechanism directly.
Full 55-page technical report will be released after Apple ships a fix; Apple was notified in person at Apple Park.
Hacker News Comment Review
Discussion centers on the data-only attack angle: by avoiding pointer tag violations, the exploit sidesteps MTE enforcement entirely rather than breaking the hardware primitive.
Commenters question why Apple’s fbounds checking, applied aggressively elsewhere, was absent here – suggesting MIE plus fbounds together would close this class of attack.
