Apple released its first Background Security Improvements update to patch a WebKit vulnerability (CVE-2026-20643) on iPhone, iPad, and Mac without requiring a full OS upgrade. The cross-origin Navigation API flaw discovered by Thomas Espach was fixed with improved input validation and is available on iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2; users are advised not to uninstall Background Security Improvements except for compatibility issues. #CVE202620643 #WebKit
Keypoints
- Apple delivered the WebKit fix via its new Background Security Improvements feature to avoid full OS updates.
- CVE-2026-20643 is a cross-origin Navigation API bug that can bypass the Same Origin Policy with malicious web content.
- The issue was resolved by improving input validation in the Navigation API.
- Security researcher Thomas Espach reported the vulnerability and updates are available on iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2.
- Uninstalling Background Security Improvements removes all incremental background patches and reverts the device to the baseline OS security level.