CVE-2026-43660 Overview
CVE-2026-43660 is a validation flaw in Apple's WebKit-based platforms that allows maliciously crafted web content to bypass Content Security Policy (CSP) enforcement. Apple addressed the issue with improved logic in Safari 26.5, iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. The weakness maps to [CWE-693] (Protection Mechanism Failure). An attacker hosting a crafted page can defeat a security control that defenders rely on to constrain script execution and resource loading in the browser.
Critical Impact
A network-based attacker can bypass Content Security Policy on unpatched Apple devices, weakening defenses against cross-site scripting and untrusted content loading.
Affected Products
- Apple iOS and iPadOS prior to 18.7.9 and 26.5
- Apple macOS Tahoe prior to 26.5 and Safari prior to 26.5
- Apple tvOS, visionOS, and watchOS prior to 26.5
Discovery Timeline
- 2026-05-11 - CVE-2026-43660 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43660
Vulnerability Analysis
The vulnerability resides in the validation logic that enforces Content Security Policy directives when processing web content. CSP is a browser security mechanism that restricts which scripts, styles, and resources a page may load. When the underlying parser or matching routine accepts input that should be rejected, the policy fails to apply. Apple describes the fix as addressing a validation issue with improved logic, indicating that the original check did not correctly evaluate certain crafted inputs.
The impact is confidentiality-focused. An attacker cannot directly execute code or alter system integrity through this flaw alone. However, defeating CSP removes a layer of mitigation that protects against injected scripts, exfiltration of tokens, and loading of attacker-controlled resources on otherwise trusted origins.
Root Cause
The defect is a protection mechanism failure [CWE-693] in the CSP enforcement path. Apple's advisory states the issue was corrected with improved logic, consistent with a validation routine that failed to normalize or compare policy inputs as intended. The specific WebKit component and parsing primitive are not disclosed in the public advisory.
Attack Vector
Exploitation requires the victim to process attacker-controlled web content in Safari or any WebKit-backed application across the affected operating systems. No authentication and no user interaction beyond visiting the page are required. The flaw is reachable over the network through any vector that delivers HTML to the browser, including malicious sites, compromised origins, malvertising, and embedded iframes.
No verified public proof-of-concept code is available. The vulnerability mechanism is described in prose because no validated exploit samples have been published. Refer to the Apple Support advisories for the authoritative technical description.
Detection Methods for CVE-2026-43660
Indicators of Compromise
- No file-based or network-based indicators of compromise have been published for this issue.
- Successful exploitation leaves no distinct artifact on the endpoint, since CSP bypass is a behavioral failure of a browser policy rather than a payload drop.
Detection Strategies
- Inventory all Apple endpoints and identify devices running Safari, iOS, iPadOS, macOS, tvOS, visionOS, or watchOS builds older than the fixed versions listed in the Apple advisories.
- Monitor web proxy and DNS telemetry for users browsing to newly registered or low-reputation domains from unpatched Apple devices, since the flaw is browser-borne.
- Review server-side CSP violation report endpoints for an unexplained drop in reports from Safari user agents, which can indicate that policies are not being enforced client-side.
Monitoring Recommendations
- Track Apple software version distribution through mobile device management (MDM) inventory and flag devices that remain on pre-26.5 builds.
- Correlate browser process activity on macOS with outbound connections to untrusted origins after navigation to external links.
- Maintain logging of CSP report-to and report-uri endpoints to detect regressions in enforcement across the user population.
How to Mitigate CVE-2026-43660
Immediate Actions Required
- Update affected devices to Safari 26.5, iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, or watchOS 26.5.
- Push the updates through MDM with an enforced compliance deadline and block non-compliant devices from sensitive resources.
- Notify users to restart browsers and devices after patching so that WebKit components reload with the corrected logic.
Patch Information
Apple has released fixes across its product line. See the vendor advisories for build numbers and release notes: Apple Support Article 127110, Apple Support Article 127111, Apple Support Article 127115, Apple Support Article 127118, Apple Support Article 127119, Apple Support Article 127120, and Apple Support Article 127121.
Workarounds
- Restrict browsing on unpatched devices to known, trusted origins through a web proxy or secure web gateway policy until patches are applied.
- Strengthen server-side defenses that do not rely solely on CSP, including output encoding, Trusted Types, and strict input validation on web applications accessed from Apple devices.
- Where feasible, isolate high-risk browsing in remote browser isolation (RBI) so that policy bypass on the client does not expose corporate data.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
