APPLE on Tuesday released its first round of Background Security Improvements to address a WebKit vulnerability that could bypass the same-origin policy when processing malicious web content, affecting iOS, iPadOS, and macOS. The flaw is tracked as CVE-2026-20643 and was described as a cross-origin issue in WebKit's Navigation API.
It impacts iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2, and has been addressed with improved input validation in iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). Security researcher Thomas Espach has been credited with discovering and reporting the shortcoming.
Apple notes that Background Security Improvements are meant for delivering lightweight security releases for components such as the Safari browser, WebKit framework stack, and other system libraries through smaller, ongoing patches rather than larger software updates. Users can control these improvements via the Privacy and Security menu in Settings, and if auto-install is disabled they will wait for the next software update, according to Apple notes.