CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Background Security Improvements update issued to remediate CVE-2026-20643 WebKit navigation bypass

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Apple’s Background Security Improvements update addressed CVE-2026-20643, a WebKit flaw enabling malicious web content to bypass Same Origin Policy restrictions via the Navigation API. The vulnerability impacted iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2, exposing users to data leakage or spoofing risks. The fix was delivered as a lightweight, out-of-band patch via Apple’s Background Security Improvements mechanism, eliminating the need for a full OS upgrade or device restart. Background Security Improvements updates can be managed via Privacy & Security settings, with options for automatic installation and rollback to baseline OS versions if removed.

Timeline

  1. 18.03.2026 03:06 2 articles · 1d ago

    Background Security Improvements update deployed to address CVE-2026-20643 WebKit flaw

    Apple issued its first Background Security Improvements update to remediate CVE-2026-20643, a WebKit vulnerability enabling malicious web content to bypass Same Origin Policy restrictions via the Navigation API. The patch was delivered to iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2 as a lightweight, out-of-band update, avoiding the need for a full OS upgrade or device restart. Background Security Improvements updates are supported and enabled for iOS 26.1, iPadOS 26.1, and macOS 26 and later; users can manage updates via Privacy and Security settings with options for automatic installation. Removing a Background Security Improvement reverts the device to the baseline OS version without the patch, and compatibility issues may require temporary removal until enhanced in a subsequent update.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Google Chrome Zero-Day Exploits in Skia and V8 Engine

Google has released emergency updates for Chrome to patch two actively exploited zero-day vulnerabilities (CVE-2026-3909 and CVE-2026-3910). The first is an out-of-bounds write flaw in Skia, a 2D graphics library, which could lead to browser crashes or code execution. The second is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine. Both vulnerabilities were discovered and patched within two days of reporting, affecting Windows, macOS, and Linux systems. The updates are rolling out to users, though it may take days or weeks to reach all users. Google has not disclosed further details about the attacks exploiting these vulnerabilities. Google has patched a total of three actively weaponized Chrome zero-days since the start of the year.

Open in new tab

Coruna and Darksword iOS Exploit Kits Used by Russian Threat Actor UNC6353 Across Multiple iOS Versions

The Coruna iOS exploit kit campaign has expanded with the emergence of a new, highly sophisticated iOS malware family named Darksword. Targeting iPhones running iOS 18.4 through iOS 18.7, Darksword is attributed to the Russian threat actor UNC6353, which is also linked to the earlier Coruna exploit kit. Discovered by Lookout Threat Labs in collaboration with Google’s Threat Intelligence Group and iVerify, Darksword leverages multiple zero-day and known vulnerabilities to execute kernel read/write attacks via Safari, enabling rapid exfiltration of sensitive data including cryptocurrency wallets, messages, location history, and health data. The malware is designed as a modular, professionally engineered platform with evidence of large language model tools used for development and extensibility. Unlike Coruna, Darksword focuses on immediate data theft and self-wipes temporary files after exfiltration, indicating a shift toward opportunistic financial espionage rather than long-term surveillance. Apple has already patched the exploited vulnerabilities in current iOS releases, and users are advised to upgrade to iOS 26.3.1 and enable Lockdown Mode if at high risk. Prior context: The Coruna exploit kit, first observed in February 2025, targeted iOS versions 13.0 to 17.2.1 with 23 exploits across five chains, used by multiple actors including UNC6353 and UNC6691. It delivered payloads via the PlasmaGrid stager to steal wallet recovery phrases and other sensitive data, and was used in watering hole attacks on Ukrainian and Chinese crypto-related websites. CISA added three Coruna-linked vulnerabilities to its Known Exploited Vulnerabilities catalog, and Apple backported fixes to older devices. The Coruna kit marked a shift from targeted spyware to broader iOS exploitation, including crypto theft, and was linked to U.S. military contractor L3Harris via Operation Zero.

Open in new tab

Apple Patches Three Zero-Day Flaws Exploited in Targeted Attacks

Apple has released emergency updates to address a new zero-day vulnerability (CVE-2026-20700) in dyld, which was exploited in sophisticated attacks targeting specific individuals. This flaw, along with two previously disclosed vulnerabilities (CVE-2025-43529 and CVE-2025-14174) in WebKit, were exploited in the same incidents. The flaws can lead to remote code execution and memory corruption when processing maliciously crafted web content. The affected devices include various iPhone and iPad models running versions of iOS before iOS 26, as well as Mac devices running macOS Tahoe. Apple and Google's Threat Analysis Group discovered the vulnerabilities, and Google has also patched the same flaw (CVE-2025-14174) in Google Chrome, indicating coordinated disclosure. While the attacks were highly targeted, users are advised to update their devices promptly to mitigate ongoing risks. With these updates, Apple has now patched nine zero-day vulnerabilities that were exploited in the wild in 2025 and one in 2026.

Open in new tab