CVE-2026-20643

Apple WebKit and Safari versions prior to iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, macOS 26.3.2, iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4, and iOS 18.7.7 and iPadOS 18.7.7

A cross-origin vulnerability exists within the WebKit Navigation API. Processing maliciously crafted web content may allow bypassing the Same Origin Policy, potentially enabling data leakage or session compromise simply by visiting a specially designed webpage. This issue was addressed through improved input validation. The vulnerability, identified as CVE-2026-20643, affects the Safari browser and other web content rendering components on Apple platforms. Apple has introduced a new Background Security Improvements feature to deliver these fixes outside of full OS updates.

Update to iOS 26.3.1, iPadOS 26.3.1, or macOS 26.3.1/26.3.2. Update to iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4, or iOS 18.7.7 and iPadOS 18.7.7. Ensure Background Security Improvements are enabled in Privacy and Security settings. If compatibility issues arise after a background update, the update can be temporarily removed and will be re-applied in a future software update.