GoKawiilApple has released its first Background Security Improvements update to fix a WebKit flaw tracked as CVE-2026-20643 on iPhones, iPads, and Macs without requiring a full operating system upgrade.
The CVE-2026-20643 flaw allows malicious web content to bypass the browser's Same Origin Policy.
Apple says the flaw is a cross-origin issue in the Navigation API that was addressed with improved input validation.
The vulnerability was discovered by security researcher Thomas Espach, with the new update available on iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2.
This release is the first time Apple has pushed a security fix through its new Background Security Improvements feature, which is used to deliver small out-of-band patches outside the normal security update cycle.
"Background Security Improvements deliver lightweight security releases for components such as the Safari browser, WebKit framework stack, and other system libraries that benefit from smaller, ongoing security patches between software updates," explains Apple.
"In rare instances of compatibility issues, Background Security Improvements may be temporarily removed and then enhanced in a subsequent software update."
In the past, Apple security updates required users to install a new OS version and restart their device. However, with Background Security Improvements, Apple can now deliver small updates that are applied to specific components in the background.
Background Security Improvements feature
Apple added the feature in iOS 26.1, iPadOS 26.1, and macOS 26.1, stating it was to be used to quickly patch security flaws between releases.
... continue reading