Apple on Tuesday launched its first spherical of Background Safety Enhancements to handle a security flaw in WebKit that impacts iOS, iPadOS, and macOS.
The vulnerability, tracked as CVE-2026-20643 (CVSS rating: N/A), has been described as a cross-origin challenge in WebKit’s Navigation API that might be exploited to bypass the same-origin coverage when processing maliciously crafted internet content material.
The flaw impacts iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. It has been addressed with improved enter validation in iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). Safety researcher Thomas Espach has been credited with discovering and reporting the shortcoming.
Apple notes that Background Safety Enhancements are meant for delivering light-weight security releases for elements such because the Safari browser, WebKit framework stack, and different system libraries via smaller, ongoing security patches reasonably than issuing them as a part of bigger software program updates.
The characteristic is supported and enabled for future releases beginning with iOS 26.1, iPadOS 26.1, and macOS 26. In instances the place compatibility points are found, the enhancements could also be briefly eliminated after which enhanced in a subsequent software program replace, Apple provides.
Customers can management Background Safety Enhancements by way of the Privateness and Safety menu within the Settings app. To make sure that they’re robotically put in, it is suggested to maintain the “Mechanically Set up” possibility on.
It is value noting that if customers choose to have this setting disabled, they must wait till the enhancements are included within the subsequent software program replace. Considered in that mild, the characteristic is analogous to Fast Safety Response, which it launched in iOS 16 as a technique to set up minor security updates.
“If a Background Safety Enchancment has been utilized, and also you select to take away it, your gadget reverts to the baseline software program replace (for instance, iOS 26.3) with no Background Safety Enhancements utilized,” Apple famous in a assist doc.
The event comes little over a month after Apple issued fixes for an actively exploited zero-day impacting iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS (CVE-2026-20700, CVSS rating: 7.8) that might lead to arbitrary code execution.
Final week, the iPhone maker additionally expanded patches for 4 security flaws (CVE-2023-43010, CVE-2023-43000, CVE-2023-41974, and CVE-2024-23222) that had been weaponized as a part of the Coruna exploit package.
