Apple on Tuesday released the first round of background security improvements to address a security flaw in WebKit that affects iOS, iPadOS, and macOS.
The vulnerability, tracked as CVE-2026-20643 (CVSS score: N/A), is described as a cross-origin issue in WebKit’s Navigation API that can be exploited to bypass the same-origin policy when processing maliciously crafted web content.
This flaw affects iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. This issue is addressed with improved input validation in iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). Security researcher Thomas Espach is credited with discovering and reporting this flaw.
Apple says the background security improvements are aimed at delivering lightweight security releases for components such as the Safari browser, the WebKit framework stack, and other system libraries through small, ongoing security patches, rather than issuing them as part of larger software updates.
This feature will be supported and enabled in future releases of iOS 26.1, iPadOS 26.1, macOS 26 and later. If compatibility issues are discovered, improvements may be temporarily removed and enhanced in subsequent software updates, Apple added.
Users can control background security improvements from the Privacy & Security menu in the Settings app. To ensure automatic installation, we recommend leaving the Automatic installation option checked.
Please note that if users choose to disable this setting, they will have to wait for the next software update to include the improvements. From that perspective, this feature is similar to Rapid Security Response, which was introduced in iOS 16 as a way to install minor security updates.
“If background security improvements are applied, and you choose to remove them, your device reverts to a baseline software update (such as iOS 26.3) that does not have background security improvements applied,” Apple says in a help document.
This development comes a little more than a month after Apple released a fix for an actively exploited zero-day that affected iOS, iPadOS, macOS Tahoe, tvOS, watchOS, visionOS (CVE-2026-20700, CVSS score: 7.8) and could lead to arbitrary code execution.
Last week, the iPhone maker extended patches for four security flaws (CVE-2023-43010, CVE-2023-43000, CVE-2023-41974, and CVE-2024-23222) that were weaponized as part of the Coruna exploit kit.
Source link
