A Background Security Improvement in iOS 26.3.1 fixes a WebKit issue in Safari that could break one of the web's most important safety rules.
Apple released a Background Security Improvement on March 17 for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. The update fixes a WebKit flaw that could let a malicious website bypass a key browser security rule.
The company said the issue was caused by a cross-origin problem in the Navigation API and assigned it CVE-2026-20643. Apple addressed the flaw by improving input validation to stop harmful web content from breaking the browser's protections.
The update applies to the latest Apple operating system versions and is delivered outside of standard releases. Apple uses Background Security Improvements to quickly push smaller security fixes, especially for constantly exposed system parts.
Apple hasn't disclosed whether the vulnerability was exploited in real-world attacks.
WebKit's role makes even a single flaw important
The flaw impacts the Same Origin Policy, which is a browser rule designed to stop one website from accessing another's personal information. Data includes cookies, saved data, and active sessions that users expect to remain private.
When that rule is violated, the risk extends beyond a typical bug. A malicious webpage could interact with data from another site, compromising one of the fundamental safety measures of the web.
WebKit, the underlying technology, powers Safari, numerous third-party browsers on iOS and iPadOS, and in-app web views across Apple platforms. It operates every time a user opens a webpage or loads web content within an app.
Improving Apple device security in the background
While the advisory only identifies one vulnerability, the significance of the component outweighs the number of vulnerabilities. WebKit continuously processes untrusted content, making it a frequent target for attacks.
Cross-origin flaws specifically target the web's mechanism for separating different sites. If the separation fails, the browser loses its ability to reliably keep data from various sites distinct.
Background Security Improvements enable Apple to deliver fixes promptly without waiting for a complete operating system update. The system prioritizes high-risk components like WebKit, where delays can significantly increase exposure.
Where to find Background Security Improvements
Background Security Improvements are managed in Privacy & Security settings rather than the standard Software Update screen. On iPhone and iPad, open Settings, tap Privacy & Security, then select Background Security Improvements to view or manage updates.
On the Mac, open System Settings, choose Privacy & Security, and select Background Security Improvements. The same menu shows whether updates are installed and allows them to be removed in rare cases.
Apple also ties these updates to automatic update settings. Enabling Security Responses & System Files under Software Update allows the system to install fixes in the background without waiting for a full OS update.
