Here we go again, more Mythos rumors and claims to unpack. I wrote a lengthy blog on Anthropic, Glasswing, and Mythos just over a month ago but this is about a very specific event and set of claims. A significant reason I am writing this is due to what I believe are poorly written headlines that are based in misunderstanding and/or attempting to sound more dramatic than warranted. It looks like the story is based on a Wall Street Journal (WSJ) article by Robert McMillan that was then picked up by many other sources. The WSJ article is based on a blog from a company called Calif that was published on May 14.
Before I can get into the weeds a bit, I have to do the job many of these journalists did not do and that means including some missing details, defining terms, and explaining it with more context. In McMillan’s “exclusive” article, he does not even mention that Calif is claiming this is the “first public macOS kernel memory corruption exploit on Apple M5“, an important detail. Instead, his title is actually even worse for a completely different reason, but we’ll backburner that for a minute.
Apple’s M5 processor was announced in October, 2025 as the successor to their M4 processor. What may be more important, and accurate, is that this exploit works despite Apple’s relatively new Memory Integrity Enforcement (MIE) technology designed to help protect against such exploits. That security feature was announced on September 9, 2025, before the M5 processors even. That means there are two claims from Calif: the first exploit on an Apple M5 device and it working despite MIE being enabled. The first is a really bold claim while the second is neat but may not be as big a deal as it seems.
Calif’s Claims
Since October 15, 2025, there have been at least 26 local privilege escalation vulnerabilities disclosed. Because many vulnerabilities with minimal details are described differently by various parties, we need to take note that there are an additional 27 vulnerabilities for Apple macOS since then that are described as “memory corruption” and 11 more as “buffer overflow”, a type of memory corruption. That immediately puts Calif’s first claim in question: “the first public macOS kernel memory corruption exploit on M5 silicon, surviving MIE.” From here it gets a bit tricky because Apple’s security advisories do not mention if a vulnerability is mitigated by MIE or not. However, when a researcher reports a vulnerability to Apple and it gets fixed, presumably some or all of these various overflows and memory corruption vulnerabilities potentially bypass MIE. Therefore, Calif’s claims about MIE are neat but certainly not a big deal based on available information.
For the M5 claims, how do they know their two vulnerabilities achieving root are the first for an M5 processor when it was announced nine months ago? Devices with that chip were available in stores as early as October 22, 2025 per Apple. Is Calif telling us that the 64 vulnerabilities mentioned above are all only valid on the M4 processors, and not a single one on the M5? That’s hard to believe. A couple months ago when Apple released patches for many vulnerabilities in macOS Tahoe 26.4, the same base version Calif’s vulnerabilities were tested on, that advisory mentions two memory corruption issues, two additional buffer overflows, and one privilege escalation vulnerability. Can Calif positively say that despite all of that, theirs is still the “first” for an M5 processor? I can’t find any reference to an MIE bypass in the vendor’s advisories at all, so that isn’t a piece of information shared in Apple’s disclosure.
Could it be possible that Calif just didn’t know all of this? Every single vulnerability above has a CVE identifier. Apple’s security advisories are easy to find and high end researchers tend to know about vendor advisories. Calif does not provide any evidence or citations to back their claims of being the ‘first’ for any of this. Their blog does disclaim it a bit saying their claims are “to the best of [their] knowledge“. That just means that I don’t believe Calif’s claims for now. Either they did not make any effort to perform due diligence before making such statements, or they intentionally did not check for prior art so that the disclaimer is technically accurate, while being very deceptive. It doesn’t matter which it is if they are wrong though.
I know via mutual friends that the researchers at Calif are intelligent and capable vulnerability researchers, and that part I am not doubting. However, I am pointing out that their jump to press first without sufficient details lands them here in my blog. Technical writing, or at least, attention to detail when writing such claims are equally important when it comes to vulnerability disclosures.
The Journalist’s Compound
In this case, compound means to “add to an existing problem, making it worse or creating new ones.” This entire blog was born out of McMillan’s headline: “Apple’s Security Has Been Tough to Crack. Mythos Helped Find a Way In.” Citation definitely needed! This headline implies that Apple’s security is ‘tough’, meaning difficult to find vulnerabilities in, and that now with the help of Mythos it has been done. This completely ignores the history of vulnerabilities disclosed in Apple’s products including macOS.
Since September 9, 2025, when MIE was announced, there have been at least 547 vulnerabilities disclosed in Apple products. That’s a lot! Enough to make me immediately question how a seasoned journalist can say that Apple’s products are somehow ‘tough’ to find vulnerabilities in. Sure, tough for rookie researchers and those that lack the skills to find more complex classes of vulnerabilities but those numbers mean there are a lot out there perfectly capable of doing it. Of those 547 vulnerabilities, at least 11 are known to be exploited in the wild (a.k.a. Known Exploited Vulnerability or KEV).
Mariella Moon writing for Engadget had a headline that is more tame, but is unfortunately a subtle dig at Calif’s researchers if you read between the lines. She wrote “Security researchers, aided by Anthropic’s Mythos, claim to have breached macOS“. A vast majority of those 547 vulnerabilities mentioned were done without Mythos which makes her headline imply that Calif couldn’t have done it without the new tool. Oops! Stan Schroeder wrote an article for Mashable titled “Anthropic’s Mythos is already finding security flaws in Apple software” which is very tame by comparison at least.
Bruno Ferreira writing for Tom’s Hardware seems to parrot Calif’s claims verbatim, without any level of scrutiny. “First Apple M5 memory exploit discovered using Anthropic AI, gives root access on MacOS — Claude Mythos helps security researchers bypass Memory Integrity Enforcement“. Ferreira does include the M5 and MIE bits though which is great to see, since that is at the core of the bold claims making headlines. Will McCurdy’s article for PC Mag has a reasonable title but another line in the article caught my attention:
The exploit took five days to discover, but researchers noted that it could not have been pulled off by Anthropic’s Mythos alone and also required the expertise of its human hackers.
So now we seemingly have a case where Calif required Mythos to find these vulnerabilities, but Mythos could not have found them without help from humans. That certainly throws a stone at Mythos on the back of impressive claims about the efficacy of their tool in finding vulnerabilities.
Now we’re left to wait for Calif to publish full technical details after Apple provides a patch to determine what the truth is. Was this really the first exploit for the M5 processor? They will need to bring receipts on that which I don’t think is possible since Apple doesn’t include which processors are impacted in advisories. Further, Apple does not mention which bypass MIE and most researchers don’t either, for the relatively few that even publish advisories of their own. That means Calif will need to give us some idea about how many of those 547 vulnerabilities can bypass MIE on top of explaining why none of those 547 work on the M5. Without that we’re left with bold but unfounded claims and that should be a warning sign to anyone considering their services.
Or will this be a case where by the time details are published everyone has moved on to the next headline? It’s become a favored side effect for many marketing firms and many more in the last two decades.
In Vietnamese, you might say “Hãy đưa ra bằng chứng.”
Leave a Reply