Apple Addresses Critical WebKit Flaw

Apple has released its first round of Background Security Improvements to address a critical security flaw in the WebKit framework, affecting iOS, iPadOS, and macOS. The vulnerability, tracked as CVE-2026-20643 (CVSS score: N/A), allows attackers to bypass the same-origin policy when processing maliciously crafted web content.

Vulnerability Details

The flaw is a cross-origin issue in WebKit’s Navigation API. It affects iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. Apple has addressed the vulnerability with improved input validation in these versions.

Discovery and Credit

The security researcher Thomas Espach is credited with discovering and reporting this flaw to Apple.

Background Security Improvements

Apple introduced Background Security Improvements as a way to deliver lightweight security releases for components such as the Safari browser, WebKit framework stack, and other system libraries through smaller, ongoing security patches. This feature is supported starting with iOS 26.1, iPadOS 26.1, and macOS.

User Control

Users can control Background Security Improvements via the Privacy and Security menu in the Settings app. To ensure that these improvements are automatically installed, it’s advised to keep the

元記事: https://thehackernews.com/2026/03/apple-fixes-webkit-vulnerability.html