Apple rolls out BSI patch

The WebKit bug patched by the first Background Security Improvement is recorded as CVE‑2026‑20643 and the BSI entry was published on March 17, 2026 for iOS 26.3.1 (a), iPadOS 26.3.1 (a), and macOS 26.3.1/26.3.2 (a). (support.apple.com) Reverse engineering shows the root cause lives in WebCore::Navigation::innerDispatchNavigateEvent where NavigateEvent.canIntercept returns true for same‑site but different‑port navigations because the code checks HTTP‑family protocol before verifying scheme/host/port equality; the mainline fix adds strict per‑component equality checks. (github.com) The public repository includes a minimal PoC (poc_min.html) that reproduces the issue by serving a page on port 8000 and triggering a navigation to port 8800; the repo also notes an affected build of iOS 26.3.1 (build 23D8133 on iPhone18,2). (github.com) Exploit impact is described as allowing an attacker‑controlled page to intercept or suppress navigations that cross origin boundaries, enabling URL/context confusion and redirect abuse rather than requiring remote code execution. (vulmon.com) Background Security Improvements are applied only to the latest minor OS version, are lettered per release (starting with “a”), can be enforced via device management keys, and on macOS Safari‑related fixes become active as soon as Safari is relaunched without a full OS restart. (support.apple.com) The technical write‑up credits WebKit Bugzilla entry 306050 and names Thomas Espach on the Apple advisory, while independent researcher zeroxjf published a detailed RE write‑up and PoC on GitHub and demonstrated the behavior publicly on X. (support.apple.com)