Apple has issued a security update to address a WebKit vulnerability that could allow browser protection bypass on iPhones, iPads, and Macs.
The flaw, tracked as CVE-2026-20643, affects WebKit’s Navigation API and could let malicious websites circumvent the same-origin policy, a core browser security control that prevents cross-domain data access. Apple resolved the issue via input validation improvements across builds of iOS 26.3.1, iPadOS 26.3.1, and macOS 26.3.2.
The vulnerability was discovered and reported by security researcher Thomas Espach. Apple has not disclosed a Common Vulnerability Scoring System (CVSS) rating or confirmed active exploitation.
This release is notable because it was delivered using Apple’s Background Security Improvements mechanism, added in iOS 26.1 and macOS 26. The feature enables smaller, targeted security patches to be applied without full OS updates or the need for device restarts.
Lightweight Patching Updates Apple Strategy
Apple says the new system is designed to push incremental fixes to critical components. The list includes the Safari browser engine as well as underlying system libraries between major updates. According to the company, these updates are automatically applied when the “Automatically Install” setting is enabled in the Privacy & Security menu.
The new approach is similar to the company’s Rapid Security Response model but adds granular background patching. However, Apple cautions that disabling these updates will revert devices to their baseline OS version, removing any interim security protections.
The update follows a series of recent security fixes from Apple. In February 2026, the company addressed an actively exploited zero-day vulnerability (CVE-2026-20700) that could lead to arbitrary code execution-based attacks. The move also included expanded patches for multiple previously disclosed flaws linked to the Coruna exploit kit.
For security teams, the shift toward continuous background patching may reduce exposure windows, but it also warrants new considerations around update visibility, testing, and device management.
