Kernel extensions KEXTs
A kernel extension is essentially a dynamically-loadable module that runs within the macOS kernel (the core of the OS). KEXTs have full access to the kernel and hardware, which means they operate with the highest privileges (“ring 0” in OS terms). Traditionally, KEXTs have been used for things like device drivers (for third-party hardware), filesystem plugins, low-level network filters, security software hooks, and other functionalities that require deep integration with the OS. Apple’s own kernel is modular, and macOS itself includes many default KEXTs (for example, for handling filesystems, networking, etc…. over 300 standard kexts are included with macOS).
Third-party examples include kernel drivers for virtualization software (older versions of VirtualBox used a kext), kernel-level firewalls or monitoring tools, or even some legacy antivirus file monitors. On the malicious side, rootkits or certain advanced malware have also used KEXTs in the past (since running as a kext can allow a malware complete control over the system). One example is the open-source keylogger LogKext, which installs as a kernel extension to log keystrokes.
TLDR: KEXTS are modules that extend the functionality of the kernel (XNU kernel). They provide services like hardware drivers, file system plugins, networking enhancements, and security tools. There are a few types of kexts:
- Device drivers: Things like graphics cards (e.g.,
AMDFramebuffer.kext), audio devices (AppleHDA.kext), Wi-Fi adapters (IO80211Family.kext). - File systems: Support for filesystems like
NTFS,exFAT, and custom solutions (e.g.,com.paragon-software.filesystems.ntfs.kext). - Networking extensions: VPN plugins, packet filters (e.g.,
com.cisco.kext.vpnor Apple’s ownpfandipfwextensions). - Security and anti-malware: Tools like antivirus software (
com.symantec.kext.internetSecurity), endpoint protection, etc. - Virtualization and emulation: VMware, Parallels, or VirtualBox often install kexts for virtual network interfaces, file sharing, and virtual disk mounting.
How to list loaded kernel extensions
You can see all the currently loaded kexts with:
kextstat
# more detailed + filters out Apple-provided ones to only show third-party extensions.
kextstat | grep -v com.apple
# also useful
systemextensionsctl list
Example of some default Apple kexts
Use grep -r
com.apple.driver.AppleIntelPCHPMCin/System/Library/Extensions/AppleIntelPCHPMC.kext/Contents./Info.plistcom.apple.iokit.IOBluetoothFamilyin/System/Library/Extensions/IOBluetoothFamily.kext/Contentscom.apple.filesystems.apfs. in/System/Library/Extensions/apfs.kext/ContentsImportant note
Starting with macOS Catalina (10.15)??? and heavily enforced in Big Sur (11+), Apple is deprecating kernel extensions in favor of System Extensions and DriverKit. Third-party kexts require explicit user approval and rebooting into a special mode if System Integrity Protection (SIP) blocks them.
System extensions
System Extensions are the replacement for many legacy kernel extensions (kexts). They run in user space instead of kernel space, which makes them more secure and stable. Here’s where and how you can find, view, and manage System Extensions:
????
This shows:
teamID: Developer Team ID that signed the extensionbundleID: Identifier of the extension- Whether it’s
active,enabled, orawaiting approvalFile system location
System Extensions are usually part of an app bundle, not stored as standalone
.kextfiles. You may find them inside:
/Applications/<AppName>.app/Contents/Library/SystemExtensions/
# Example
# /Applications/MyVPN.app/Contents/Library/SystemExtensions/com.example.vpn.extension.systemextension
You can ls or inspect them like this:
ls /Applications/*/Contents/Library/SystemExtensions/
System settings UI (macOS Ventura and later)
Go to: System Settings → Privacy & Security → scroll down to Security
If an extension is pending approval, you’ll see something like:
“System software from developer ‘Team Name’ was blocked from loading.”
You’ll need to approve it here and may have to reboot into Recovery Mode to allow certain types (like for network monitoring or endpoint security).
Security and stability
Because KEXTs run in kernel space, a buggy or malicious kext can crash the entire system (kernel panic) or undermine OS security completely. Apple has long viewed this as a risk:
“Kexts risk the integrity and reliability of the operating system.”
For this reason, macOS has increasingly restricted kext usage over the years. As of macOS 10.13 High Sierra, Apple introduced “User-Approved Kernel Extension Loading”; any third-party kext (not already allowed) would trigger a user prompt in System Preferences > Security, and require the user to approve it before it can load. Additionally, since macOS Catalina, all KEXTs must be notarized and code-signed by a developer approved by Apple, or they will be blocked from loading. On macOS 11+ (Big Sur and later), third-party kext loading is even more locked down: it requires not only user approval and a reboot, but on Apple Silicon (M1/M2 chips) the user must boot into Recovery and lower the security policy to allow kexts at all. This effectively means KEXT usage is now a highly privileged operation gated by user consent and system settings. Apple states that kernel extensions are no longer recommended and developers should avoid them if possible.
Lifecycle
KEXTs are typically installed in /Library/Extensions (for third-party extensions) or reside in /System/Library/Extensions for Apple’s own. They have a .kext bundle structure. They can be loaded at boot (some kexts are essential to boot hardware support) or on-demand when a dependent piece of hardware/software is used. Loading a new third-party kext in Big Sur+ requires a reboot because the kernel’s “kernel cache” (or a new concept called AuxKC in Big Sur) must be rebuilt with the new extension and the system restarted to include it. Unloading or updating kexts is non-trivial in modern macOS; it’s generally expected that kext changes happen via reboots.