Apple has released a set of background security improvements to address a vulnerability in its WebKit engine that could allow attackers to bypass core browser security protections across its ecosystem. The flaw, tracked as CVE 2026 20643, affects multiple platforms including iOS, iPadOS, and macOS, highlighting the widespread impact of issues within shared system components such as WebKit, which underpins the Safari browser and other web based applications.
The vulnerability has been described as a cross origin issue within WebKit’s Navigation API that could be exploited through specially crafted web content. By leveraging this flaw, an attacker may be able to bypass the same origin policy, a fundamental browser security mechanism designed to prevent unauthorized interaction between different web domains. The issue affects iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2, and has been addressed through improved input validation in updated versions labeled with incremental security releases. Security researcher Thomas Espach has been credited with identifying and reporting the vulnerability.
The update is part of Apple’s background security improvements framework, a mechanism designed to deliver smaller, targeted security fixes outside of full operating system updates. This approach allows the company to address vulnerabilities in components such as WebKit, Safari, and core system libraries in a more flexible manner. The feature has been supported since iOS 26.1, iPadOS 26.1, and macOS 26, enabling ongoing security enhancements to be applied without requiring users to install complete system upgrades. Apple noted that in cases where compatibility concerns arise, these updates can be temporarily rolled back and refined in subsequent releases to maintain system stability.
Users have the option to manage these background updates through the Privacy and Security settings menu, where automatic installation can be enabled or disabled. Keeping the automatic installation feature active ensures that devices receive timely security fixes without user intervention. If the option is turned off, users will need to wait until the fixes are bundled into a future software update before receiving protection. Apple explained that this system functions similarly to the Rapid Security Response feature introduced in earlier versions, offering a streamlined method to deploy incremental patches.
The latest update follows a series of recent security activities by Apple, including fixes for an actively exploited vulnerability identified as CVE 2026 20700, which could allow arbitrary code execution across multiple platforms such as macOS Tahoe, tvOS, watchOS, and visionOS. In addition, the company recently expanded patches for several previously disclosed flaws associated with the Coruna exploit kit. These developments reflect ongoing efforts to address security risks within its software ecosystem and maintain protection across its range of devices and services.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
