Apple's silent WebKit patch

Tracked as CVE-2026-20643 and linked to WebKit Bugzilla 306050, Apple published the Background Security Improvement on March 17, 2026 for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. (support.apple.com) Apple’s advisory credits researcher Thomas Espach as the reporter and describes the fix as “improved input validation” in the Navigation API. (support.apple.com) Background Security Improvements are supported beginning with iOS/iPadOS/macOS 26.1 and are described by Apple as “lightweight security releases” for components such as Safari and the WebKit framework. (support.apple.com) The BSI channel appears in Settings > Privacy & Security > Background Security Improvements with an “Automatically Install” toggle, and Apple’s documentation notes these updates install between full OS releases. (support.apple.com) Apple delivered the WebKit fix as a modular Background Security Improvement rather than a full OS upgrade, and outlets reported the update required only a quick device restart rather than a longer full update process. (bleepingcomputer.com) Apple’s documentation warns a Background Security Improvement can be removed — reverting the device to the baseline OS — and deployment guidance notes the BSI channel does not adhere to managed software-update delays used by some enterprises. (support.apple.com) Practical assessments of exploitation diverge: Cequence Security’s Randolph Barr is quoted saying the bug “breaks the same-origin policy” and was being actively exploited, while Malwarebytes reported attackers do not currently appear to be exploiting the issue in the wild; Apple declined to confirm exploitation. (prismnews.com)