Five Days vs. Five Years: Apple's New Kernel Defense, Cracked

I remember a conversation a few years ago with a colleague who worked in platform security. He said something I’ve been thinking about ever since: “The hardest thing about defense is asymmetry. You have to get everything right. The attacker only needs to find one thing.”

The asymmetry used to cut the other way in practice, though. Finding the one thing was hard. It required years of specialization, deep knowledge of the specific architecture, and enormous amounts of time staring at disassembly. Defense could afford to be methodical and slow. Offense had to be patient and expensive.

That arithmetic may have just changed.

The story in one sentence

A Calif researcher faces a M5 + MIE chip; a strike lands and a '# root shell' prompt appears.

A five-person team at a startup called Calif, aided by an AI system called Mythos Preview, built the first public kernel memory corruption exploit for macOS on Apple M5 silicon - the chip Apple specifically designed to stop this exact class of attack - in five days.

Five years of work, five days to break it

A scoreboard places APPLE: 5 YEARS against CALIF + AI: 5 DAYS, showing the new asymmetry between defenders and AI-aided attackers.

Apple spent roughly five years developing MIE: Memory Integrity Enforcement. It’s their hardware-assisted memory safety system, built on top of ARM’s MTE (Memory Tagging Extension). The design target was explicit: make memory corruption exploits so expensive they’re not worth attempting.

MIE launched as the marquee security feature of M5 and A19. Apple’s own security blog claimed it disrupts every public exploit chain against modern iOS, including the recently leaked Coruna and Darksword exploit kits. The write-up notes, with no apparent irony: “Many security experts consider Apple devices to be the most secure consumer platform.”

Then Bruce Dang found two bugs on April 25th. Dion Blazakis joined the effort on April 27th. Josh Maine built the tooling. By May 1st, they had a working exploit.

Five days.

The exploit is a data-only kernel local privilege escalation chain targeting macOS 26.4.1 (25E253). Unprivileged local user in. Ordinary system calls only. Root shell out. Two vulnerabilities. Bare-metal M5 hardware. Kernel MIE enabled.

unprivileged user
      │
      │  normal syscalls only
      ▼
 kernel MIE bypass
 (two bugs, data-only chain)
      │
      ▼
   root shell

The full 55-page technical report is being held until Apple ships a fix. Calif only budgeted one year of domain registration fees for this attack, so hopefully not too long.

Why this hit the front page

Two figures meet at Apple Park; a 55-page report glides from Calif's hand into Apple's.

Two things happened at once.

First, the result is genuinely historic. This is - to the best of anyone’s public knowledge - the first macOS kernel exploit running on MIE hardware that has been disclosed. That’s a notable milestone regardless of how it was done.

Second, how they did it is arguably more interesting than the fact that they did. Mythos Preview, Calif’s AI, identified the bugs and assisted throughout exploit development. The humans didn’t just supervise; they provided the specific expertise needed to bypass MIE itself, because MIE is new enough that even the AI needed guidance. The sentence in the write-up that stuck with me: “Mythos discovered the bugs quickly because they belong to known bug classes. But MIE is a new best-in-class mitigation, so autonomously bypassing it can be tricky. This is where human expertise comes in.”

Human experts + frontier AI = five days. Apple’s hardware team + five years = MIE.

The delivery method didn’t hurt either. Instead of submitting through a portal, Calif drove to Apple Park, got a tour (they mention the apple trees), and handed over a laser-printed copy of their research. “We wanted to report it in person, instead of getting buried in the submission flood that some unfortunate Pwn2Own participants just experienced.” The physical strategy, as they put it, “may give us a slight edge in the eternal race for five minutes of fame and glory on Twitter.”

What the thread is arguing about

Three figures represent the HN camps: 'is Mythos real,' 'we are centaurs now,' and the bounty-money math camp.

The HN comments broke into three camps:

The “is Mythos even real?” contingent. One commenter immediately asked whether Mythos was still restricted to a handpicked list of megacorps, or whether it had finally opened up. Another wrote: “So like… I thought Mythos was just a bunch of hype?” The question is fair - this is a non-public model making extraordinary claims. The 55-page technical report, once it’s out, will either settle the debate or intensify it.

The “we’re all centaurs now” camp. Others took the claim at face value and started processing implications. “Discovering such a high-ranking critical exploit within a week by coupling experts with frontier models is an amazing new journey we’re about to embark on.” And one honest reflection: “I did notice having more confidence to take on more ambitious work lately. We’re all centaurs now.” That last line may age interestingly.

The money math. Someone ran the bounty numbers: as demonstrated, this is roughly a $100K find on Apple’s platform. But framed as unauthorized access against a beta macOS build, it could be $1.5M. Calif appears to be in the disclosure business. For now.

Should this change how you think about platform security?

Four columns appear - Research, Platform, Bug bounty, Mac users - each with its takeaway from the new AI-assisted exploit world.

If you work in…	What this means
Security research	The expert gap is compressing. Specialized knowledge still matters (humans had to guide the MIE bypass), but AI dramatically shortens the path to “working exploit.”
Platform engineering	MIE was designed for the world before Mythos. Hardware mitigations will need to be evaluated against AI-assisted adversaries, not just patient humans.
Bug bounty programs	The rate at which novel exploits are developed is probably going up. Triage and patch velocity matter more now.
General Mac security	This is a local privilege escalation - attacker needs a foothold first. Not a remote zero-click. Real risk, but not “open a webpage and you’re owned.”

The part Apple didn’t pay five billion dollars to defend against

A flying saucer marked $5,000,000,000 sits opposite a small office building of 5 people plus AI. Caption: 'nhỏ mà có võ' - small but mighty.

The Calif write-up ends with a line that lands differently once you’ve read the whole post:

“Small teams can suddenly do things that used to require entire organizations. With the right strategy and people, even a tiny company can become mighty enough that the world’s largest companies start asking for its help.”

They end in Vietnamese: “nhỏ mà có võ.” Small but mighty.

Apple spent $5 billion building their office. Calif’s office cost less than $1 billion (presumably significantly less). And a five-person team with an AI just walked into Cupertino with a laser-printed report that will cost Apple’s security engineering team months of work to fix.

The math on “what a small team can accomplish” is being rewritten in real time.

Discussion on Hacker News · Source: blog.calif.io · Submitted by quadrige