Share
## https://sploitus.com/exploit?id=74CAC0D8-5DBF-5108-AD42-078E2F58B005
# bsi-CVE-2026-20643

**WebKit Navigation API โ€” Same-Origin Policy bypass via cross-port interception**

`NavigateEvent.canIntercept` incorrectly returns `true` for cross-origin navigations (same host, different port). An attacker-controlled page can intercept or suppress navigations that should cross an origin boundary, enabling URL/context confusion and redirect abuse.

| | |
|---|---|
| **CVE** | CVE-2026-20643 |
| **Component** | WebKit โ€” Navigation API (`innerDispatchNavigateEvent`) |
| **Affected build** | iOS 26.3.1 `23D8133` (`iPhone18,2`) |
| **Class** | SOP bypass |
| **Requires user interaction** | Click / link activation |

## Contents

| File | Description |
|---|---|
| [`findings.md`](findings.md) | Root cause analysis, RE evidence, addresses |
| [`poc_min.html`](poc_min.html) | Self-contained PoC โ€” detects vulnerable vs patched |

## Vulnerable Code (WebCore `innerDispatchNavigateEvent`)

```cpp
// WebCore::Navigation::innerDispatchNavigateEvent โ€” 0x1a1303304
// iOS 26.3.1 build 23D8133

if (!isSameSite && !isSameOrigin)
    return false;
if (targetURL.protocolIsInHTTPFamily())
    return true; // โ† missing strict component equality checks
                 //   same-site cross-port slips through here
```

Fix (WebKit mainline) adds strict equality on scheme/user/password/host/**port** before returning `true`.

## Running the PoC

```sh
python3 -m http.server 8000
# Open http://127.0.0.1:8000/poc_min.html on an affected iOS device
# Click "Run PoC"
# Vulnerable:  canIntercept=true  (cross-port target interceptable)
# Patched:     canIntercept=false
```

The PoC navigates from `:8000` โ†’ `:8800` (same host, cross-origin) and reports whether the Navigation API gate allows interception.