Overview
- Apple released iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a) for MacBook Neo on March 17 as its first Background Security Improvements.
- The patch addresses CVE-2026-20643, a WebKit Navigation API cross‑origin flaw that could let malicious content bypass the browser’s Same Origin Policy.
- Security researcher Thomas Espach is credited for the finding, and Apple says it resolved the issue through improved input validation.
- BSIs are available under Settings/System Settings > Privacy & Security and can auto‑install when enabled, typically completing with a quick restart.
- Apple cautions that BSIs may be removed in rare compatibility cases, with fixes later included in subsequent standard software updates.