Share
## https://sploitus.com/exploit?id=74CAC0D8-5DBF-5108-AD42-078E2F58B005
# bsi-CVE-2026-20643
**WebKit Navigation API โ Same-Origin Policy bypass via cross-port interception**
`NavigateEvent.canIntercept` incorrectly returns `true` for cross-origin navigations (same host, different port). An attacker-controlled page can intercept or suppress navigations that should cross an origin boundary, enabling URL/context confusion and redirect abuse.
| | |
|---|---|
| **CVE** | CVE-2026-20643 |
| **Component** | WebKit โ Navigation API (`innerDispatchNavigateEvent`) |
| **Affected build** | iOS 26.3.1 `23D8133` (`iPhone18,2`) |
| **Class** | SOP bypass |
| **Requires user interaction** | Click / link activation |
## Contents
| File | Description |
|---|---|
| [`findings.md`](findings.md) | Root cause analysis, RE evidence, addresses |
| [`poc_min.html`](poc_min.html) | Self-contained PoC โ detects vulnerable vs patched |
## Vulnerable Code (WebCore `innerDispatchNavigateEvent`)
```cpp
// WebCore::Navigation::innerDispatchNavigateEvent โ 0x1a1303304
// iOS 26.3.1 build 23D8133
if (!isSameSite && !isSameOrigin)
return false;
if (targetURL.protocolIsInHTTPFamily())
return true; // โ missing strict component equality checks
// same-site cross-port slips through here
```
Fix (WebKit mainline) adds strict equality on scheme/user/password/host/**port** before returning `true`.
## Running the PoC
```sh
python3 -m http.server 8000
# Open http://127.0.0.1:8000/poc_min.html on an affected iOS device
# Click "Run PoC"
# Vulnerable: canIntercept=true (cross-port target interceptable)
# Patched: canIntercept=false
```
The PoC navigates from `:8000` โ `:8800` (same host, cross-origin) and reports whether the Navigation API gate allows interception.