First public macOS kernel memory corruption exploit on Apple M5

Researchers have publicly demonstrated the first macOS kernel memory corruption exploit on Apple M5 chips that survives the hardware security feature MIE, achieving a local privilege escalation from an unprivileged user to root.

The exploit was discovered through a collaborative effort involving security researchers and AI-assisted tools, and was developed over a period of less than a month. It targets macOS 26.4.1 (25E253) running on M5 hardware with Memory Integrity Enforcement (MIE) enabled, a security system designed to prevent memory corruption attacks.

The attack chain involves two vulnerabilities and several techniques that allow an unprivileged local user to escalate privileges to root, culminating in a root shell. The researchers confirmed that the exploit bypasses MIE, which is built around ARM’s Memory Tagging Extension (MTE), a hardware-assisted memory safety feature introduced by Apple in the M5 chip.

The researchers emphasized that this is the first public demonstration of such an exploit on MIE-enabled macOS, marking a significant milestone in hardware security research. They also noted that the exploit was developed with the aid of Mythos Preview, an AI tool capable of identifying bug classes and assisting in exploit development, highlighting the increasing role of AI in security research.

Why It Matters

This development is significant because it demonstrates that even advanced hardware-based security features like MIE can be bypassed under certain conditions. It raises concerns about the long-term security of Apple’s silicon, especially as AI tools become more effective at discovering vulnerabilities. The exploit could potentially be used by malicious actors if not promptly addressed, threatening the integrity of macOS security.

For users and organizations relying on Apple’s hardware for security, this underscores the importance of ongoing vulnerability assessments and updates, as well as the need for Apple to respond swiftly with patches to mitigate such risks.

STREBITO Electronics Precision Screwdriver Sets 142-Piece with 120 Bits Magnetic Repair Tool Kit for iPhone, MacBook, Computer, Laptop, PC, Tablet, PS4, Xbox, Nintendo, Game Console

【Wide Application】This precision screwdriver set has 120 bits, complete with every driver bit you’ll need to tackle any…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background

Apple introduced MIE with the M5 chip as part of its efforts to enhance hardware security, aiming to prevent memory corruption exploits that have historically been a common attack vector. MIE leverages ARM’s MTE technology to enforce memory safety at the hardware level, disrupting many public exploit chains against iOS and macOS. Prior to this, Apple claimed MIE would significantly strengthen device security.

The discovery of this exploit was accidental, made by researchers who identified vulnerabilities during routine testing. The development process involved multiple researchers and the use of AI-assisted tools, illustrating how modern security research increasingly combines human expertise with AI capabilities. The researchers shared that they plan to publish a detailed technical report after Apple releases a fix.

“This is the first public demonstration of a macOS kernel exploit on MIE hardware, showing that even the most advanced mitigations can be bypassed with the right vulnerabilities.”

— Research team spokesperson

“Landing a kernel memory corruption exploit against the best protections in just a week demonstrates the power of combining AI tools with human expertise.”

— Lead researcher Bruce Dang

binifiMux 50pcs M5-0.8mm Button Head Torx Security Screws Assortment Kit w T25 Wrench, Stainless Steel, M5x8mm/ 10mm/ 12mm/ 16mm/ 20mm, Tamper Proof Screws

– Fit Torx Size: T25;

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

What Remains Unclear

It remains unclear how quickly Apple will develop and release a patch to fix these vulnerabilities. Details of the specific vulnerabilities and attack techniques are still under embargo and will be published after Apple’s security update. The full technical analysis is pending.

What’s Next

Apple is expected to respond with security updates to patch the vulnerabilities. Researchers plan to publish a comprehensive technical report after the fix is released. The incident may prompt increased scrutiny of hardware security features and AI’s role in security research.

2pcs Embroidered Security Patches, Big Size Sew On Patches Security Badge Safety Iron On Patches for Vest Jackets Shirts and Outdoor Backpack

Product Contents: You will receive 2 pieces of embroidered security patches in different sizes, enough quantity to meet…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What is the significance of this exploit?

This is the first public demonstration of a macOS kernel memory corruption exploit on M5 hardware that bypasses the MIE security system, indicating that hardware protections are not invulnerable.

When will Apple release a fix?

It is not yet confirmed when Apple will release a security update addressing these vulnerabilities, but it is expected to be within the next few weeks or months.

Can this exploit be used remotely?

No, the exploit requires local access and is a privilege escalation chain starting from an unprivileged user.

What role did AI play in this discovery?

AI tools like Mythos Preview helped identify vulnerabilities and assist in exploit development, demonstrating AI’s growing importance in security research.

Will this affect all Macs with M5 chips?

The exploit targets macOS 26.4.1 on M5 hardware with MIE enabled; effectiveness on other versions or configurations is still under investigation.