Apple Relaunches Background Security Improvements with WebKit Patch

Apple has released iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a), marking the first public use of its new Background Security Improvements system, a renamed version of the previous Rapid Security Responses (see “What Are Rapid Security Responses and Why Are They Important?,” 2 May 2023). Much like Rapid Security Responses, these updates deliver “lightweight security releases for components such as the Safari browser, WebKit framework stack, and other system libraries” without requiring a full operating system update. Apple provides much more information about Background Security Improvements in the Platform Security guide.

The sole issue addressed, CVE-2026-20643, involves a flaw in WebKit’s implementation of the Navigation API that could allow maliciously crafted Web content to bypass the Same Origin Policy. The same-origin policy is a foundational browser safeguard that prevents a malicious script on one site from accessing data on another.

Apple doesn’t say that this vulnerability has been actively exploited, but the company considered it important enough to ship via this new mechanism, even though OS 26.4 is due out soon.

Given that implicit indication of importance, we recommend installing this Background Security Improvement soon. In theory, that shouldn’t require any action on your part, as long as Automatically Install is turned on in Settings/System Settings > Privacy & Security > Background Security Improvements. It’s as yet unknown when that automatic install will take place, but you can also install manually by tapping Install, waiting a few minutes for it to download, and then tapping Restart & Install.

Unsurprisingly, you’ll see an option for the (a) releases only if you have 26.3.1 or 26.3.2 (the latter only for the MacBook Neo) installed. In practice, that’s likely a small group, since 26.3.1 was released primarily for Apple Studio Display updates and macOS 26.3.2 is limited to the MacBook Neo (see “OS 26.3.1 Adds Studio Display Support, Fixes Bugs,” 6 March 2026). If you’re still running an older version of OS 26, the Background Security Improvement will instead be bundled with the overall update available in Settings/System Settings > General > Software Update.

What’s notable about Background Security Improvements is that they can be smaller and quicker to install than full operating system updates, and they can be reverted, either by the user or Apple. Apple says Background Security Improvements that update only Safari on the Mac will require just a Safari relaunch, not a full restart. However, this update requires a restart—and on the Mac, it doesn’t prompt you first as it does in iOS. It felt surprisingly abrupt after the relatively slow downloading phase.

To remove a Background Security Improvement, navigate to Settings/System Settings > Privacy & Security > Background Security Improvements, tap the ⓘ button next to the update, then Remove & Restart. You might want to do this if you notice problems with Safari after installing.

After Apple made a big fuss about Rapid Security Responses in 2023 and used them a few times for iOS and iPadOS, it made a mistake by updating Safari’s version number to include the parenthetical update letter. That prevented some websites, notably Facebook and Instagram, from recognizing Safari, causing them to display their mobile versions instead of the desktop versions. Apple quickly pulled the updates (see “Apple Pulls Rapid Security Responses Due to Website Loading Issues,” 11 July 2023) and then reissued them (see “Rapid Security Responses for iOS/iPadOS 16.5.1 (c) and macOS Ventura 13.4.1 (c),” 13 July 2023). This time, Apple was careful to change only Safari’s build number.

That debacle seemingly scared Apple away from Rapid Security Responses. (If only it scared some people away from Facebook and Instagram.) Apple issued no Rapid Security Responses for the next two operating system cycles and introduced Background Security Improvements only in iOS 26.1, iPadOS 26.1, and macOS 26.1 Tahoe. We’ll see if they’re here to stay this time.