Security & Infrastructure Tools
Apple pushes first Background Security Improvements update to fix WebKit flaw
Apple released its first Background Security Improvements update, fixing the WebKit flaw CVE‑2026‑20643 that lets malicious web content bypass Safari’s Same Origin Policy. The patch applies to iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1 and 26.3.2 without a full OS upgrade, demonstrating Apple’s new lightweight out‑of‑band security feature that delivers small fixes between major releases.
Apple has rolled out its first “Background Security Improvements” update to patch a critical WebKit flaw—CVE‑2026‑20643—that could let malicious web content bypass Safari’s Same Origin Policy on iPhones, iPads and Macs. The vulnerability was discovered by security researcher Thomas Espach and is now addressed through improved input validation in the Navigation API.
The fix is available as a lightweight patch for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1 and macOS 26.3.2 without requiring users to install a full operating‑system update. Apple’s new Background Security Improvements feature allows small, out‑of‑band patches to be delivered directly to specific components (such as Safari, WebKit and other system libraries) between major releases.
To access the feature, users can go to Settings → Privacy & Security on iPhones and iPads, or System Settings → Privacy & Security on Macs. Apple cautions that uninstalling a Background Security Improvements update will revert all previously applied patches, returning the device to its baseline OS version (e.g., iOS 26.3.1) without incremental security fixes. Therefore, unless a baseline change causes issues, it is strongly recommended not to remove these updates.
With this patch in place, devices are better protected against cross‑origin exploits that could otherwise allow attackers to inject malicious code into web pages. Apple’s approach demonstrates a new strategy for rapid response to emerging threats without the downtime associated with full OS upgrades.