Apple hot‑patches WebKit

Apple published the first Background Security Improvement as iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a) on March 17, 2026. (support.apple.com) Apple’s advisory describes CVE‑2026‑20643 as a cross‑origin issue in WebKit’s Navigation API that may allow processing of maliciously crafted web content to bypass the Same Origin Policy, and it cites WebKit Bugzilla 306050 while crediting Thomas Espach for the report. (support.apple.com) Background Security Improvements are the rebranded successor to Rapid Security Responses, supported beginning with iOS/iPadOS/macOS 26.1, and Apple says it will publish BSI entries by date with component and CVE details. (support.apple.com) (tidbits.com) Apple’s platform security documentation explains the BSI mechanism moves patchable content into cryptex-backed disk images updated via Image4 manifests, permits rollback to the baseline OS, and requires lower battery levels to install than full software updates. (support.apple.com 1) (support.apple.com 2) Field reports show differences in user experience: at least one test of this WebKit BSI required a Mac restart without a prior prompt, while testers reported iPhone restart times for the (a) release were shorter than a standard update’s 5–10 minute outage. (tidbits.com) (engadget.com) Enterprise tooling can manage BSI behavior: Addigy documents MDM keys to allow or block installation and removal of Background Security Improvements (formerly Rapid Security Responses), and Apple requires devices to be on the latest supported releases (iOS/iPadOS/macOS 26.1+) to receive BSIs. (support.addigy.com) (support.apple.com)