Apple released an urgent security fix for a vulnerability affecting iPhones, iPads, and Macs. The flaw exists in WebKit, the core technology that powers the Safari browser and many apps that display web content.
The vulnerability, identified as CVE-2026-20643, could allow a malicious website to bypass one of the web’s key security protections and potentially access sensitive information from other websites you have open in the same browser session.
This issue affects the Same-Origin Policy, a core security rule in web browsers designed to keep data from different websites separate. Normally, it prevents one site from reading or interfering with information from another.
Key Terms Explained
- WebKit is the browser engine used by Safari and many apps on Apple devices. Think of it as the translator between the internet and your screen. When you open a webpage, WebKit interprets the code from the website and displays the page properly on your device.
- Same-Origin Policy: The vulnerability specifically affects something called the Same-Origin Policy (SOP). The Same-OriginPolicy is a browser security rule that prevents one website from accessing data belonging to another website.
Affected Systems and Versions
- iOS 26.3.1
- iPadOS 26.3.1
- macOS 26.3.1
- macOS 26.3.2.
Recommendation
- Update your Apple devices: Ensure your iPhone, iPad, or Mac isrunning the latest system updates.
- Be cautious with unknown websites: Many browser attacks rely on usersvisiting malicious or compromised pages.
How to Verify the Update:
While manydevices install these automatically, you can check your status manually:
- On iPhone/iPad: Go to Settings >Privacy & Security > Background Security Improvements.
- On Mac: Go to System Settings >Privacy & Security > Background Security Improvements.
.png)
.png)