Overview
- Apple’s update fixes CVE-2026-20643, a cross-origin flaw in WebKit’s Navigation API that could bypass the Same Origin Policy, using improved input validation.
- The releases are labeled iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a), with the 26.3.2 build targeting MacBook Neo.
- Installation is smaller and faster than a full OS upgrade, requiring a brief restart, and applies only to devices on the latest 26.x baseline; others will receive the fix in the next standard update.
- Security researcher Thomas Espach is credited with reporting the vulnerability, and Apple has not disclosed any evidence of active exploitation.
- Background Security Improvements can be installed or rolled back under Settings > Privacy & Security, and Apple cautions that removals revert the device to the baseline OS and may follow rare compatibility issues.