- Apple released its first Background Security Improvements to patch a cross-origin vulnerability in WebKit.
- The flaw, CVE-2026-20643, could bypass the same-origin policy on iOS, iPadOS, and macOS via malicious web content.
- The feature delivers smaller, ongoing security patches for components like Safari and WebKit outside of major updates.
- Users should keep the “Automatically Install” option on in Settings to receive these improvements promptly.
Apple addressed a significant WebKit security flaw on Tuesday, March 18, 2026, through its newly deployed system for lightweight patches. This represents the company’s first use of Background Security Improvements, a mechanism designed to deliver ongoing security fixes more efficiently.
The vulnerability, tracked as CVE-2026-20643, is a cross-origin issue in WebKit’s Navigation API. Consequently, it could allow attackers to bypass the same-origin policy when processing specifically crafted web content.
The flaw affected iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. Apple resolved it with improved input validation in subsequent minor releases credited to researcher Thomas Espach.
Background Security Improvements are supported starting with iOS 26.1, iPadOS 26.1, and macOS 26. Meanwhile, the company notes they may be temporarily removed if compatibility issues arise.
Users control these updates via the Privacy and Security menu in Settings. Keeping the “Automatically Install” option enabled is advised to ensure immediate installation.
If disabled, users must wait for the next full software update. This feature is analogous to the Rapid Security Response system Apple introduced in iOS 16.
Removing an applied improvement reverts the device to its baseline software version. This development follows recent patches for other exploited vulnerabilities, including one targeted by the Coruna exploit kit.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
