Apple has launched a new Background Security Improvements update to resolve a WebKit vulnerability known as CVE-2026-20643 across iPhone, iPad, and Mac devices. This delivery method allows the company to patch critical flaws in system libraries and browser components without requiring users to perform a full operating system upgrade or restart.

The specific vulnerability addressed in this release involves a cross-origin issue within the Navigation API that could allow malicious web content to bypass the standard Same Origin Policy. Discovered by researcher Thomas Espach, the flaw was mitigated through enhanced input validation. This update is currently available for devices running versions 26.3.1 or 26.3.2 of iOS, iPadOS, and macOS, marking the first time Apple has utilized this lightweight delivery system for an out-of-band security patch.

By using the Background Security Improvements feature, Apple can now target specific components like the Safari browser and the WebKit framework stack between major software cycles. These small, focused patches are designed to be applied automatically in the background, providing a faster response to emerging threats than the traditional method of bundled OS updates. While the feature was introduced in version 26.1 of Apple's various operating systems, this deployment serves as its first practical application for a public security fix.

Users can manage these updates through the Privacy and Security menu within their system settings on both mobile and desktop platforms. Apple has designed the system to be unobtrusive, but it does allow for the removal of these background patches if compatibility issues arise. In such rare cases, the system might temporarily pull an update to refine it before a subsequent re-release, ensuring that the balance between system stability and security remains intact.

However, the company warns that uninstalling a background improvement will revert the device to its baseline operating system version, effectively removing all incremental security protections provided by previous background patches. This action leaves the device vulnerable to the very exploits the patches were intended to block until a full software update is installed. Consequently, security experts and Apple both recommend keeping these improvements active unless they cause significant functional problems on the device.

Source: Apple Rolls Out Background Security Update to Patch WebKit Vulnerability