Skip to content
Tech News
← Back to articles

First public macOS kernel memory corruption exploit on Apple M5

2026-05-14 | original
read original more articles
Why This Matters

The discovery of the first public macOS kernel memory corruption exploit on Apple M5 silicon highlights ongoing security challenges even on highly protected platforms. It underscores the importance of continuous vulnerability research and the need for Apple to swiftly implement patches to maintain user trust and device security. This development serves as a reminder that no system is invulnerable, and proactive security measures remain crucial for the tech industry and consumers alike.

Key Takeaways

Early this week, we had a meeting at Apple Park in Cupertino. While there, we also shared with Apple our latest vulnerability research report: the first public macOS kernel memory corruption exploit on M5 silicon, surviving MIE. It was laser printed, in honor of our hacker friends.

We wanted to report it in person, instead of getting buried in the submission flood that some unfortunate Pwn2Own participants just experienced. Most respected hackers avoid human interaction whenever possible, so this physical strategy may give us a slight edge in the eternal race for five minutes of fame and glory on Twitter.

This is the story of the exploit and our field trip. Full technical details will be shared after Apple fixes the vulnerabilities and attack path. Hopefully it won’t take our beloved company too long. We only budgeted one year of domain registration fees for this attack.

Memory corruption remains the most common vulnerability class everywhere, including iOS and macOS. In security, if you can’t fully prevent something, you accept the risk mitigate it by making exploitation more expensive.

But mitigations are not cheap. If performance didn’t matter, many security problems would be easy to solve. Apple is smart and controls the full stack, so they pushed many of these defenses directly into hardware and made bypassing them significantly harder. Many security experts consider Apple devices to be the most secure consumer platform.

The latest flagship example is MIE (Memory Integrity Enforcement), Apple’s hardware-assisted memory safety system built around ARM’s MTE (Memory Tagging Extension). It was introduced as the marquee security feature for the Apple M5 and A19, specifically designed to stop memory corruption exploits, the vulnerability class behind many of the most sophisticated compromises on iOS and macOS.

Apple spent five years building it. Probably billions of dollars too. According to their research, MIE disrupts every public exploit chain against modern iOS, including the recently leaked Coruna and Darksword exploit kits.

We’ve been on a fun journey exploring how AI can help build exploits that still work under MTE. While Apple’s focus is primarily iOS, they also brought MIE to the M5, the chip powering the latest MacBooks.

Our macOS attack path was actually an accidental discovery. Bruce Dang found the bugs on April 25th. Dion Blazakis joined Calif on April 27th. Josh Maine built the tooling, and by May 1st we had a working exploit.

The exploit is a data-only kernel local privilege escalation chain targeting macOS 26.4.1 (25E253). It starts from an unprivileged local user, uses only normal system calls, and ends with a root shell. The implementation path involves two vulnerabilities and several techniques, targeting bare-metal M5 hardware with kernel MIE enabled.

... continue reading

Explore topics: macos apple m5 kernel memory pwn2own apple park
Related:
New macOS vulnerabilities were exposed by Anthropic’s Mythos: report
Anthropic’s Mythos Helped Find Bugs in Apple’s Desktop Operating System
Windows 11 and Microsoft Edge hacked at Pwn2Own Berlin 2026
Safari 26.5 fixes WebKit bugs that could crash Safari or expose user data
Day One now makes it easier for Apple Journal users to upgrade

© 2026 GoKawiil

About | Editorial Policy | Contact