Back to News
News

Apple Patches WebKit Same Origin Bypass on iOS and macOS

CyberSecurityWaala 2 months ago Mar 18, 2026
Apple Patches WebKit Same Origin Bypass on iOS and macOS

Apple on Tuesday pushed a targeted security fix for WebKit. Apple said the update arrives as the first public use of its Background Security Improvements delivery system.

Apple credited security researcher Thomas Espach with finding and reporting the issue. Apple tracked the bug as CVE-2026-20643.

The flaw sits in WebKit’s Navigation API. Apple said specially crafted web content could exploit the bug to bypass the browser’s same origin policy. Apple described the error as a cross origin problem that allows one site to read or interact with another in ways the browser should block.

Apple released the patch as iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). Apple said the update uses improved input validation to close the hole.

Apple explained the delivery method. Apple called Background Security Improvements “lightweight security releases for components such as the Safari browser, WebKit framework stack, and other system libraries.” Apple first added the feature starting with iOS 26.1, iPadOS 26.1, and macOS 26.

Users can control the feature in Settings. Apple said users should go to Privacy & Security and look for Background Security Improvements. Apple recommends leaving “Automatically Install” on so fixes reach devices without waiting.

Apple also warned about rolling back these small fixes. “If a Background Security Improvement has been applied, and you choose to remove it, your device reverts to the baseline software update (for example, iOS 26.3) with no Background Security Improvements applied,” Apple noted in a help document.

To be clear, Apple did not say this WebKit flaw was actively exploited in the wild. Apple did, however, treat it as important enough to ship via the new delivery system rather than wait for a full OS upgrade.

Context matters. Apple issued a separate fix last month for an actively exploited zero day tracked as CVE-2026-20700. Apple also expanded patches recently for four vulnerabilities that Apple said were weaponized by the Coruna exploit kit. Apple listed those fixes under CVE-2023-43010, CVE-2023-43000, CVE-2023-41974, and CVE-2024-23222.

What should users do now? Apple said install the Background Security Improvement when it appears. If Automatic Install is enabled, the patch should arrive without action. Users can also install manually in Settings and then tap Restart & Install, Apple explained.

Apple noted that some Background Security Improvements for Safari on the Mac only need a browser relaunch. Apple also showed that this WebKit patch requires a system restart.

Thomas Espach’s report pushed this release into the public update stream. Apple moved quickly to add input validation and to deliver the patch through the lighter Background Security Improvements channel.

The bottom line is simple. Apple released a focused WebKit fix for CVE-2026-20643. Apple and the researcher who reported it recommend installing the update as soon as it is available.

#Apple #WebKit #iOS #macOS #Vulnerability