TL;DR
Researchers have publicly demonstrated the first macOS kernel memory corruption exploit on Apple M5 silicon with MIE enabled, ending with root access from an unprivileged user. The exploit highlights vulnerabilities despite advanced hardware defenses.
Researchers have publicly demonstrated the first kernel memory corruption exploit on Apple M5 hardware running macOS 26.4.1, successfully escalating from an unprivileged user to root. This breakthrough highlights a potential vulnerability in Apple’s latest security defenses, notably the Memory Integrity Enforcement (MIE) system, which was designed to prevent such exploits.
Early this week, security researchers shared their findings with Apple at a meeting held at Apple Park, revealing a new exploit targeting the macOS kernel on M5 chips with MIE enabled. The exploit, developed over a few weeks, begins from an unprivileged local user and culminates in a root shell, bypassing Apple’s hardware-assisted memory safety features.
The discovery was made by a team including Bruce Dang, Dion Blazakis, and Josh Maine, with technical assistance from Mythos Preview, an AI-powered bug discovery tool. The team built the exploit on macOS 26.4.1 (build 25E253), utilizing two vulnerabilities and specific techniques tailored for the M5 hardware. The exploit chain was developed between April 25 and May 1, 2024, and includes a proof-of-concept video demonstrating the attack.
Why It Matters
This development is significant because it challenges the assumption that Apple’s hardware-level defenses, such as MIE, are impenetrable. As the first publicly known macOS kernel exploit on MIE-enabled hardware, it underscores the ongoing arms race between security measures and exploit techniques. The ability to compromise a high-security platform like macOS on M5 chips raises concerns about the robustness of current mitigations and the potential for future exploits.
For consumers and enterprises relying on Apple devices, this highlights the importance of ongoing security assessments and updates, as well as the potential need for additional software-layer protections until hardware defenses can be further fortified.
Digital Forensics Cookbook: Field-Tested Recipes for Real-World Investigations Across Windows, macOS, Linux, iOS, and Android
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
Apple introduced MIE, based on ARM’s Memory Tagging Extension (MTE), as a core security feature for the M5 chip and subsequent devices, aiming to prevent memory corruption exploits. Apple invested years and billions of dollars into developing MIE, which has been effective against many known exploit chains. Prior to this, no public macOS kernel memory corruption exploits had been documented on MIE-enabled hardware.
The discovery was accidental but significant, as it demonstrated that even advanced hardware protections could be bypassed with the right vulnerabilities. The researchers’ previous work with AI tools like Mythos Preview has shown that vulnerabilities in memory safety remain, and AI can accelerate their discovery. This exploit represents a notable milestone in understanding the limits of current hardware-based security measures.
“The exploit chain we developed shows that even the most advanced memory protections like MIE are not invulnerable.”
— Bruce Dang
“This work demonstrates the potential of combining AI tools with human expertise to uncover deep vulnerabilities.”
— Dion Blazakis
“Our goal was to test the limits of current hardware protections and demonstrate that vulnerabilities still exist.”
— Josh Maine
Peslv Magnetic Privacy Screen for Macbook Air 13.6/13 Inch (2022-2026, M2, M3, M4, M5), Removable Matte Anti Glare Blue Light Protector Private Security Filter for 13.6inch Mac Laptop Computer
【WIDELY APPLICABLE】Removable design and comes with a macbook air privacy filter protector storage clip that can be taken…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It remains unclear how widespread or easily exploitable the vulnerability may be in real-world scenarios, and whether future updates from Apple will fully patch these flaws. The technical details of the vulnerabilities are still under embargo until Apple releases a security update.
Hardware Penetration Testing Demystified: A Complete step by step Guide to Physical and Embedded Security Testing
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Apple has been informed of the findings and is expected to release security patches addressing these vulnerabilities. Researchers plan to publish a detailed 55-page technical report after the fix is available. The security community will monitor for updates and assess the impact of this exploit on broader security strategies.
macOS kernel debugging tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is the significance of this exploit?
This is the first public demonstration of a macOS kernel memory corruption exploit on Apple M5 hardware with MIE, challenging assumptions about hardware-based security protections.
Can this exploit be used in the wild?
It is currently a proof-of-concept developed in a controlled environment. Its practical use in real-world attacks depends on further development and whether the vulnerabilities can be reliably exploited outside lab conditions.
Will Apple fix these vulnerabilities?
Yes, Apple has been informed and is expected to release security updates to patch the flaws once technical details are fully disclosed.
Does this mean Apple’s hardware security is compromised?
While it demonstrates that hardware defenses like MIE are not invulnerable, it does not mean all devices are immediately at risk. Patches and mitigations are likely forthcoming.
