157/69 Thursday, March 19, 2026
Apple has introduced a new security mechanism called “Background Security Improvements” to address a critical vulnerability in WebKit (tracked as CVE-2026-20643), discovered by researcher Thomas Espach. The flaw affects users of iPhone, iPad, and Mac, and stems from an issue in the Navigation API, which could allow malicious websites to bypass browser protections and gain unauthorized access to sensitive data. Apple has mitigated the issue by strengthening input validation mechanisms in operating system versions iOS 26.3.1, iPadOS 26.3.1, and macOS 26.3.1 and later.
A key advantage of this new approach is the ability to deliver targeted security patches for specific components-such as Safari or system libraries-without requiring a full OS update or, in some cases, even a device restart. This feature, introduced starting from version 26.1, is designed to enable faster responses to emerging cyber threats. By deploying out-of-band patches, Apple significantly reduces the window of exposure to newly discovered vulnerabilities, improving both the flexibility and responsiveness of its security model.
Users can verify this setting under Privacy & Security in their device settings. Apple strongly advises against disabling or removing these background security updates, as doing so would remove all previously applied micro-patches and revert the device to a more vulnerable state. To maintain optimal protection, security experts recommend keeping this feature enabled at all times unless it causes significant operational issues.