Apple has launched its first Background Safety Enhancements replace to repair a WebKit flaw tracked as CVE-2026-20643 on iPhones, iPads, and Macs with out requiring a full working system improve.
The CVE-2026-20643 flaw permits malicious internet content material to bypass the browser’s Similar Origin Coverage.
Apple says the flaw is a cross-origin concern within the Navigation API that was addressed with improved enter validation.
The vulnerability was found by safety researcher Thomas Espach, with the brand new replace out there on iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2.
This launch is the primary time Apple has pushed a safety repair by means of its new Background Safety Enhancements characteristic, which is used to ship small out-of-band patches outdoors the traditional safety replace cycle.
“Background Safety Enhancements ship light-weight safety releases for parts such because the Safari browser, WebKit framework stack, and different system libraries that profit from smaller, ongoing safety patches between software program updates,” explains Apple.
“In uncommon cases of compatibility points, Background Safety Enhancements could also be briefly eliminated after which enhanced in a subsequent software program replace.”
Previously, Apple safety updates required customers to put in a brand new OS model and restart their system. Nevertheless, with Background Safety Enhancements, Apple can now ship small updates which might be utilized to particular parts within the background.
Apple added the characteristic in iOS 26.1, iPadOS 26.1, and macOS 26.1, stating it was for use to shortly patch safety flaws between releases.
Customers can entry the characteristic by means of their system settings beneath the Privateness & Safety menu.
- On iPhone and iPad: Go to Settings, then faucet Privateness & Safety.
- On Mac: From the Apple menu, select System Settings. Then click on Privateness & Safety.
Apple warns that uninstalling a Background Safety Enhancements replace removes all beforehand utilized background patches, reverting the system to the baseline OS model (akin to iOS 26.3.1) with none of the incremental safety fixes.
This successfully removes the rapid-response safety protections delivered by means of this characteristic, leaving gadgets on the baseline safety degree till the updates are reapplied or included in a future full replace.
Subsequently, except a baseline safety enchancment causes a difficulty in your system, it’s strongly really helpful that they not be uninstalled.
Malware is getting smarter. The Pink Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
