Quick patch without reboot: Apple fixes critical WebKit vulnerability in background (CVE-2026-20643)

Apple has started using a new way to patch critical vulnerabilities without forcing users to install a complete system update. This first delivery of corrections via Background Security Improvements solves a fault in WebKit registered as CVE-2026-20643 which allowed malicious web content to circumvent restrictions between origins and, under certain conditions, access to resources that should remain isolated.

In simple terms, web browsers and engines apply the so-called Same Origin Policy to prevent a page in one domain from reading data from another in different domain. When that barrier is compromised, vectors are opened for information theft, session kidnapping or unauthorized actions by scripts loaded from malicious sites. If you want to deepen how this security policy works, Mozilla's technical documentation provides a clear explanation in accessible language: Same Origin Policy (MDN).

According to Apple, the problem was linked to the interaction between origins in the WebKit navigation API and has been solved by improving the validation of the entries that the API processes. Apple's official notice describes the arrangement and confirms that vulnerability was reported by researcher Thomas Espach. The corrections are already available as background updates on devices with iOS 26.3.1, iPadOS 26.3.1 and in macOS 26.3.1 and 26.3.2 versions.

The new thing here is not just the patch, but the distribution channel: Background Security Improvements allows Apple to apply small and focused patches on components such as Safari and WebKit stack without forcing a complete operating system installation or immediate restart. The company explained this mechanism as a way to provide quick responses between cycles of major updates; if you want to read the official explanation about how this feature works, Apple details it on its support page: Background Security Improvements (Apple).

From the user's perspective, it is easy to activate or check these updates: on iPhone and iPad you access Settings and then Privacy and Security; on Mac it is from the Apple > System Settings > Privacy and Security. Apple further warns that if an update of Background Security Improvements is uninstated, it will go back to the base state of the system and all the incremental patches applied in the background are lost, thus leaving the device without rapid protections until such arrangements are reapplied or included in a larger update.

This implies a practical recommendation: unless a background update creates clear compatibility problems on your computer, It's not a good idea to uninstall it., because with it they are kept mitigated failures that could be exploited from manipulated or malicious web pages. Historically, critical corrections forced a new complete version of the system to be installed and restarted - a heavier process - but with this Apple functionality can react more agility to threats detected little in advance.

For those who want more technical context about WebKit and why these corrections matter, the official project page explains its architecture and functions: WebKit.org. It is also possible to consult the CVE public record in the vulnerability catalogue to see the status and cross-references: CVE-2026-20643 (NVD).

In short, the news is positive from the point of view of security: the combination of responsible discovery by a researcher and Apple's ability to deploy discrete patches reduces the exposure window of millions of devices. As always in safety, it is recommended to keep the equipment up to date, review the Privacy and Safety section to confirm that background updates are active and, in the face of any strange behavior after a patch, contact support or consult official documentation.