Particle.news
Get it on Google Play
Download on the App Store
26 ARTICLES
·
yesterday

Apple Deploys First Background Security Improvement to Patch WebKit Same‑Origin Bypass

The out-of-band fix for CVE-2026-20643 arrives as lightweight 26.3.x (a) builds, with experts urging users to enable automatic Background Security Improvements.

Image
Background Security Improvements in iOS 26.3.1
Stock image: The newly released iPhone 17e is displayed during the "Special Apple Experience" launch event at the Apple Store in the Manhattan borough of New York City, on March 4, 2026.
Image

Overview

  • Apple issued iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and a macOS 26.3.2 (a) build for MacBook Neo to address the flaw.
  • The vulnerability is a cross‑origin issue in WebKit’s Navigation API that could bypass the Same Origin Policy, now mitigated with improved input validation and credited to researcher Thomas Espach.
  • Updates are delivered through Settings/System Settings > Privacy & Security > Background Security Improvements, can be set to install automatically, and typically require only a brief restart.
  • Apple has not said whether CVE-2026-20643 has been exploited, but security practitioners advise installing immediately and keeping automatic Background Security Improvements enabled.
  • This marks the first public use of Apple’s lightweight, out‑of‑band BSI channel—reviving the Rapid Security Response concept—to push quick fixes for high‑risk components like WebKit, with devices off the 26.x branch receiving patches via regular updates.