WebKit Same Origin Policy bypass (CVE-2026-20643)
Vulnerability
Summary
Hide ▲
Show ▼
Apple fixed CVE-2026-20643, a WebKit flaw that let malicious web content bypass Same Origin Policy on iPhones, iPads, and Macs. The bug created a cross-origin browser security break that could weaken origin isolation. Apple delivered the fix through Background Security Improvements, reducing exposure without requiring a full OS upgrade.
Related Happenings
Apple A12/A13 SecureROM USB DMA underflow with public usbliter8 exploit security flaw
Vulnerability
H score0
First: 19.06.2026 21:37
Last: 19.06.2026 21:37
Sources 1
About this happening:
A public **usbliter8** exploit now reaches **arbitrary code execution** in Apple's **SecureROM**, exposing an **unpatchable USB DMA underflow flaw** across **A12, A13, S4, and S5*...
Apple A12/A13 SecureROM USB DMA underflow with public usbliter8 exploit security flaw
VulnerabilityAbout this happening: A public **usbliter8** exploit now reaches **arbitrary code execution** in Apple's **SecureROM**, exposing an **unpatchable USB DMA underflow flaw** across **A12, A13, S4, and S5*...
Apple Passwords app and Safari add Apple Intelligence-powered automatic password repair
Security Tool/Service
H score10
First: 09.06.2026 00:03
Last: 09.06.2026 00:03
Sources 1
About this happening:
**Apple Passwords app** and **Safari** are adding an **Apple Intelligence** feature that can automatically repair weak or compromised passwords, reducing password-hygiene risk for...
Apple Passwords app and Safari add Apple Intelligence-powered automatic password repair
Security Tool/ServiceAbout this happening: **Apple Passwords app** and **Safari** are adding an **Apple Intelligence** feature that can automatically repair weak or compromised passwords, reducing password-hygiene risk for...
IOS 26.5 beta rolls out default end-to-end encrypted RCS messaging on iPhone and Android
Security Tool/Service
H score11
First: 12.05.2026 08:18
Last: 12.05.2026 08:18
Sources 1
About this happening:
Apple's **iOS 26.5** beta adds **default end-to-end encrypted RCS** messaging for **iPhone** and **Android** users, strengthening privacy in cross-platform chats. The rollout cove...
IOS 26.5 beta rolls out default end-to-end encrypted RCS messaging on iPhone and Android
Security Tool/ServiceAbout this happening: Apple's **iOS 26.5** beta adds **default end-to-end encrypted RCS** messaging for **iPhone** and **Android** users, strengthening privacy in cross-platform chats. The rollout cove...
OpenAI rotates macOS code-signing certificates after supply-chain exposure
Security Tool/Service
H score12
First: 13.04.2026 20:39
Last: 13.04.2026 20:39
Sources 1
About this happening:
**OpenAI** is **rotating and revoking macOS code-signing certificates**, forcing users of **ChatGPT Desktop**, **Codex**, **Codex CLI**, and **Atlas** to update so trust in signed...
OpenAI rotates macOS code-signing certificates after supply-chain exposure
Security Tool/ServiceAbout this happening: **OpenAI** is **rotating and revoking macOS code-signing certificates**, forcing users of **ChatGPT Desktop**, **Codex**, **Codex CLI**, and **Atlas** to update so trust in signed...
Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/Service
H score11
First: 09.04.2026 21:33
Last: 09.04.2026 21:33
Sources 1
About this happening:
Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...
Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/ServiceAbout this happening: Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...
Timeline
-
18.03.2026 08:31 2 articles · 3mo ago
Apple releases Background Security Improvements for CVE-2026-20643
Mitigation Patch UpdateApple released its first round of Background Security Improvements to address CVE-2026-20643 in WebKit, a cross-origin issue in the Navigation API that could bypass the same-origin policy when processing maliciously crafted web content. The flaw affects iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2, and Apple says it was addressed with improved input validation in iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). Apple also credits security researcher Thomas Espach with discovering and reporting the shortcoming.
Show sources
- Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS — thehackernews.com — 18.03.2026 08:31
- Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS — thehackernews.com — 18.03.2026 08:31
-
18.03.2026 03:06 1 articles · 3mo ago
Apple releases first Background Security Improvements fix for CVE-2026-20643
Mitigation Patch UpdateApple released its first Background Security Improvements update to fix CVE-2026-20643, a WebKit flaw on iPhones, iPads, and Macs that let malicious web content bypass the browser's Same Origin Policy. The out-of-band patch used improved input validation, was available for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2, and uninstalling it removes previously applied background patches and reverts devices to the baseline OS version until the fixes are reapplied or bundled into a future full update.
Show sources
- Apple pushes first Background Security Improvements update to fix WebKit flaw — www.bleepingcomputer.com — 18.03.2026 03:06