Apple has released a new security update to address a critical WebKit vulnerability tracked as CVE-2026-20643. The vulnerability was identified as a cross-origin issue within the Navigation API of WebKit, the browser engine that underpins Safari and other web-based functionality across iOS, iPadOS, and macOS.
The flaw could allow maliciously crafted web content to bypass the Same Origin Policy, a fundamental security control that prevents unauthorized data access between websites.
Apple addressed this issue through improved input validation. The fix was released as part of Background Security Improvements for:
- iOS 26.3.1 (a)
- iPadOS 26.3.1 (a)
- macOS 26.3.1 (a)
- macOS 26.3.2 (a)
These Apple updates were issued on Wednesday. Notably, the “(a)” suffix indicates a background patch rather than a traditional OS update.
The WebKit Vulnerability CVE-2026-20643
According to the Apple’s official documentation, “About the security content of Background Security Improvements for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2 This document describes the content of Background Security Improvements.”
The documentation further explains, “Background Security Improvements deliver important security improvements between software updates and are available only for the latest versions of iOS, iPadOS, and macOS.”
The vulnerability is also tracked in WebKit Bugzilla under ID 306050 and credited to researcher Thomas Espach.
Despite being designed as automatic and unobtrusive, these background patches are not entirely hands-off for organizations. Security professionals emphasize the need for continued monitoring and configuration.
Continued Support for Older iOS and iPadOS Versions
Alongside addressing CVE-2026-20643 in modern systems, Apple also released security updates for older devices that cannot upgrade to the latest versions of iOS and iPadOS.
On March 11, 2026, updates for iOS 16.7.15 and iPadOS 16.7.15 were issued. These included a WebKit fix for a vulnerability (CVE-2023-43010) that could lead to memory corruption when processing malicious web content. The issue was originally addressed in iOS 17.2 on December 11, 2023, and has now been backported to older devices.
Similarly, updates for iOS 15.8.7 and iPadOS 15.8.7 included multiple fixes affecting both the kernel and WebKit:
- CVE-2023-41974: A kernel vulnerability allowing arbitrary code execution, originally fixed in iOS 17.
- CVE-2024-23222: A WebKit type confusion issue that could enable code execution.
- CVE-2023-43000 and CVE-2023-43010: Memory corruption flaws in WebKit, addressed through improved memory handling.
These updates help ensure that older devices remain protected against known threats, including exploit chains like Coruna, which have been addressed across multiple patches. By backporting fixes, Apple is maintaining consistent security coverage across WebKit on iOS, iPadOS, and macOS, even for systems that cannot run the latest versions.
The response to CVE-2026-20643 also highlights a shift in Apple’s update strategy. By separating critical fixes from full OS releases, the company can deliver patches faster, reducing the window of exposure for vulnerabilities in WebKit across iOS, iPadOS, and macOS.
At the same time, this approach requires IT and security teams to adjust. Instead of relying on periodic updates, they must track and verify smaller background patches, ensure compliance, maintain visibility into deployments, and confirm protections like those for CVE-2026-20643 are properly applied across all managed devices.
