← Back to stories Metal door handle and lock system with key inserted, showcasing security features.
Photo by Pixabay on Pexels
IT之家 2026-03-18

Apple issues quiet security patch for iOS, iPadOS and macOS to close critical WebKit hole

Apple has pushed an under‑the‑hood "Background Security Improvement" update to iOS 26.3.1, iPadOS 26.3.1 and macOS 26.3.1 (and a separate macOS 26.3.2 build for some Macs), addressing a high‑severity WebKit vulnerability tracked as CVE‑2026‑20643, it has been reported by IT Home (IT之家). The update is minimal in size but maximal in importance: it targets a flaw that could allow malicious websites to bypass browser protections. Who should install it? Everyone running the affected releases.

What Apple fixed

Apple says the bug stems from a cross‑origin issue in the Navigation API that weakens input validation in WebKit, the browser engine that underpins Safari and many in‑app browsers on iOS and iPadOS. If exploited, the flaw could undermine the Same Origin Policy — the bedrock rule that prevents one site from reading another site’s cookies, saved data or active sessions. Apple reportedly tightened input checks to restore the browser’s defensive boundaries, but has not disclosed whether the vulnerability has been observed in real‑world attacks.

How the patch is delivered

The company used its Background Security Improvement mechanism to deliver a lightweight fix without waiting for a full OS version rollout. That matters because WebKit is mandated as the browser engine for all iOS apps — a single engine vulnerability can therefore expose multiple apps. Users can view or uninstall these background patches in Settings → Privacy & Security → Background Security Improvements on iPhone, iPad and Mac.

Why it matters beyond this patch

Browser engine vulnerabilities are high‑value targets for both criminal actors and state‑level operatives, particularly amid broader tensions over technology supply chains and platform governance. Quick, targeted fixes reduce exposure, but organizations and users that delay updates — for compatibility, enterprise policy or device support reasons — remain at risk. Apple’s prompt background update shows the value of being able to push security fixes independently of major OS upgrades.

SmartphonesPolicy
View original source →