CVE-2026-20643

NameCVE-2026-20643
DescriptionA cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may bypass Same Origin Policy.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
webkit2gtk (PTS)bullseye2.44.2-1~deb11u1vulnerable
bullseye (security)2.50.4-1~deb11u1vulnerable
bookworm2.50.4-1~deb12u1vulnerable
bookworm (security)2.50.6-1~deb12u1vulnerable
trixie2.50.4-1~deb13u1vulnerable
trixie (security)2.50.6-1~deb13u1vulnerable
forky2.50.6-1vulnerable
sid2.52.0-1vulnerable
wpewebkit (PTS)bullseye, bullseye (security)2.38.6-1~deb11u1vulnerable
bookworm2.38.6-1vulnerable
trixie2.48.3-1vulnerable
forky2.50.6-1vulnerable
sid2.52.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
webkit2gtksourcebookworm(unfixed)end-of-life
webkit2gtksource(unstable)2.52.1-1
wpewebkitsourcebullseye(unfixed)end-of-life
wpewebkitsource(unstable)2.52.1-1

Notes

[bookworm] - webkit2gtk <end-of-life> (webkit2gtk >= 2.52 can no longer be backported)
[trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
[bullseye] - wpewebkit <end-of-life> (see #1035997)
https://webkitgtk.org/security/WSA-2026-0002.html
Search for package or bug name: Reporting problems