macOS M5 Kernel Exploit Built in 5 Days, Bypasses Apple's MIE
Key Takeaways
- First public kernel memory corruption exploit on Apple M5 silicon bypasses MIE hardware protection
- Researchers built the working exploit in five days, compared to Apple's five years developing MIE
- The exploit achieves root shell from an unprivileged local user using only normal system calls
Apple's latest hardware security feature lasted about a week against determined researchers. Security firm Calif announced the first public kernel memory corruption exploit targeting Apple's M5 silicon, bypassing the Memory Integrity Enforcement (MIE) system that Apple spent five years developing.
The team built a working exploit in five days. They reported it to Apple in person at Apple Park on May 14, 2026, hand-delivering a laser-printed vulnerability report. Their reasoning: avoid getting lost in the submission flood that typically buries remote disclosures.
What MIE Was Supposed to Stop
Memory Integrity Enforcement is Apple's hardware-assisted memory safety system built around ARM's Memory Tagging Extension (MTE). Apple introduced it as the flagship security feature for the M5 and A19 chips, specifically designed to stop memory corruption exploits.
Memory corruption remains the most common vulnerability class on iOS and macOS. It powers many of the most sophisticated compromises on both platforms. Apple's approach was to push defenses directly into hardware, making bypasses significantly harder.
According to Apple's own research, MIE disrupts every public exploit chain against modern iOS, including the recently leaked Coruna and Darksword exploit kits. The company reportedly spent billions of dollars on the technology.
How the Exploit Works
The exploit is a data-only kernel local privilege escalation chain targeting macOS 26.4.1 (build 25E253). It starts from an unprivileged local user, uses only normal system calls, and ends with a root shell.
Bruce Dang found the initial bugs on April 25th. Dion Blazakis joined the Calif team on April 27th. Josh Maine built the tooling, and by May 1st they had a working exploit. The macOS attack path was actually an accidental discovery while the team was exploring AI-assisted exploit development under MTE.
Calif worked with Mythos Preview on the exploit development. The firm noted they have been exploring how AI can help build exploits that still work under MTE protection. While Apple's primary focus with MIE was iOS security, they also brought the technology to the M5 chips powering the latest MacBooks.
Technical Details Still Under Wraps
Calif plans to release full technical details after Apple fixes the vulnerabilities and attack path. The firm joked they only budgeted one year of domain registration fees for the attack, hoping Apple moves faster than that.
The exploit's data-only nature is notable. It avoids code injection entirely, instead manipulating existing data structures to achieve privilege escalation. This approach is specifically designed to work around modern memory protections that focus on preventing malicious code execution.
Why This Matters Beyond Apple
Many security experts consider Apple devices the most secure consumer platform. If MIE can be bypassed this quickly, other hardware-assisted memory safety implementations may face similar challenges.
The security industry has long operated on a principle: if you cannot fully prevent something, you accept the risk and mitigate it by making exploitation more expensive. Apple's approach was to push mitigations into hardware, which should make bypasses harder. But mitigations carry performance costs, and even well-funded implementations are not invulnerable.
The five-days-versus-five-years contrast is stark, though it requires context. Calif's team included experienced exploit developers, and they were looking specifically for weaknesses in a new protection system. Still, the speed of the bypass suggests that hardware memory tagging is not the silver bullet some hoped it would be.
Logicity's Take
Another recent memory corruption vulnerability affecting widely-used software
Related security news on software vulnerabilities and threat actor activity
Frequently Asked Questions
What is Apple's MIE security feature?
Memory Integrity Enforcement is Apple's hardware-assisted memory safety system built on ARM's Memory Tagging Extension. It was introduced with the M5 and A19 chips to prevent memory corruption exploits.
Which macOS version is affected by this exploit?
The exploit targets macOS 26.4.1 (build 25E253) running on Apple M5 silicon.
Does this exploit require physical access to the Mac?
The exploit requires local access. It starts from an unprivileged local user account and uses only normal system calls to achieve root shell.
When will Apple fix this vulnerability?
Apple has not announced a timeline. Calif reported the vulnerability on May 14, 2026, and will release technical details after Apple patches the issue.
Are iPhones with A19 chips also vulnerable?
The researchers focused on macOS and M5. While A19 chips also use MIE, the exploit path was specific to macOS. Whether similar techniques apply to iOS is not yet known.
Need Help Implementing This?
Source: Hacker News: Best / Calif
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
Robotaxi Companies Are Hiding How Often Humans Take the Wheel
Autonomous vehicle firms like Waymo and Tesla are under scrutiny for refusing to disclose how often remote operators step in to control their self-driving cars. A Senate investigation reveals major gaps in transparency, raising safety and accountability concerns.
Wisconsin Governor Throws a Wrench in Age Verification Plans
Wisconsin Governor Tony Evers has vetoed a bill that would have required residents to verify their age before accessing adult content online, citing concerns over privacy and data security. This move comes as several other states have already implemented similar age check requirements. The veto has significant implications for the future of online age verification.
Apple's App Store Empire Under Siege: The Battle for the Future of Tech
The long-running feud between Apple and Epic Games has reached a boiling point, with Apple preparing to take its case to the Supreme Court. The tech giant is fighting to maintain control over its App Store, while Epic Games is pushing for more freedom for developers. The outcome could have far-reaching implications for the entire tech industry.
Tesla's Remote Parking Feature: The Investigation That Didn't Quite Park Itself
The US auto safety regulators have closed their investigation into Tesla's remote parking feature, but what does this mean for the future of autonomous driving? We dive into the details of the investigation and what it reveals about the technology. The National Highway Traffic Safety Administration found that crashes were rare and minor, but the investigation's closure doesn't necessarily mean the feature is completely safe.
Also Read
Samsung Union Holds Strike Plan, Shares Drop 5.9%
Samsung Electronics' South Korean labor union rejected an offer for unconditional pay talks and will proceed with an 18-day strike starting May 21. The news sent Samsung shares down nearly 6%, with analysts warning of production disruptions at the world's largest memory chipmaker.
UrLife E20 Electric Bike Drops to $316 on AliExpress
The UrLife E20, a 750W electric bike with 1,000W peak power and 80-mile range, is available for $315.98 on AliExpress after a coupon code. The same bike sells for $470 on Amazon, making this a $154 discount for budget-conscious commuters.
Nginx Buffer Overflow Bug Allows Remote Code Execution
A critical heap buffer overflow vulnerability dating back to 2008 has been discovered in Nginx's rewrite module. The bug, tracked as CVE-2026-42945, enables unauthenticated remote code execution on affected servers. Patches are now available for both Nginx Open Source and Nginx Plus.