CVE-2026-20643
Published: March 17, 2026· Updated: Mar 19, 2026
Official Description
A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. Processing maliciously crafted web content may bypass Same Origin Policy.
Technical Analysis
CVE-2026-20643 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
Official Patches & Advisories
News & Research Mentioning CVE-2026-20643
Apple has released a Background Security Improvement that silently fixes a WebKit vulnerability (CVE-2026-20643). [xlite_meta score:52 src:Malwarebytes Labs xlite_fp:d447cb3352f5f40426b4b2285f3691eb3931f11c39fa6316db66046c8fb06804]
Apple on Tuesday released its first round of Background Security Improvements to address a security flaw in WebKit that affects iOS, iPadOS, and macOS. The vulnerability, tracked as CVE-2026-20643 (CVSS score: N/A), has been described as a cross-origin issue in WebKit's Navigation API that could be exploited to bypass the same-origin policy when processing maliciously crafted web content. The [xlite_meta score:50 src:The Hacker News xlite_fp:46cadbaa882f8730d23c054f933f5931ca4d2f600d6f9e3e7702d2dfd71b7c61]
Apple has released its first Background Security Improvements update to fix a WebKit flaw tracked as CVE-2026-20643 on iPhones, iPads, and Macs without requiring a full operating system upgrade. [...] [xlite_meta score:58 src:BleepingComputer xlite_fp:e785ea9771550ca014b69f96fadae964e08700bec508cffa9c1417788271d258]
All References (2)
Quick Facts
Known Threat Actors
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-20643 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts