Apple's first silent security patch quietly fixed a flaw already under attack

Apple pushed its first "Background Security Improvement" on Thursday, deploying a lightweight patch to address a WebKit vulnerability that security experts say was already being actively exploited before the fix arrived.

The update, which appeared on iPhones, iPads, and Macs as iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a), targets CVE-2026-20643, a cross-origin flaw in the Navigation API that could allow malicious web content to bypass the same-origin policy, one of the foundational security rules governing what data a website can access in a browser.

The real-world stakes are significant. Randolph Barr, chief information security officer at Cequence Security, described the vulnerability in stark terms: "This bug breaks the same-origin policy. This means a malicious webpage could potentially access session tokens or credentials from other sites a user was logged into, including enterprise SaaS and identity platforms." Barr added that the flaw was already being actively exploited at the time of patching. Apple, for its part, declined to confirm exploitation. Apple did not give a reason for why it patched this specific bug, and a spokesperson did not immediately comment when contacted by TechCrunch. An unnamed security researcher is credited with the discovery.

Apple fixed the issue by improving input validation in the Navigation API. The update, which required only a quick device restart rather than the longer reboot typical of larger software updates, was delivered entirely outside Apple's standard release cycle.

The Background Security Improvements mechanism, which debuted with iOS 26.1, iPadOS 26.1, and macOS 26.1, is designed to push lightweight, targeted fixes for critical vulnerabilities between major OS releases. Apple describes the updates as covering components including the Safari browser, the WebKit framework, and core system libraries. The company tested the feature with software testers before Thursday marked its first public deployment against a live vulnerability.

Users who do not see the update in their Software Update settings may not have the feature enabled. To activate it, users must open Settings (or System Settings on macOS), navigate to Privacy and Security, scroll to the bottom, select Background Security Improvements, and ensure "Automatically Install" is turned on. Apple notes that if a Background Security Improvement is removed, the device reverts to the baseline software update with no background improvements applied.

The enterprise implications are considerable. Because the feature must be explicitly enabled, devices managed through mobile device management platforms will not receive the patch automatically unless IT policies have been configured to allow it. "Security teams must ensure their MDM policies explicitly enable these background updates and begin tracking the new '(a)' version suffixes to verify compliance," said Noelle Murata, a security specialist covering application security, vulnerability management, patch and configuration management, and threat intelligence.

Barr echoed that concern, warning that teams should not assume the background patch has been applied automatically across their device fleets.

The vulnerability carries no published CVSS severity score, which may complicate automated patching workflows that rely on severity ratings to prioritize updates. For organizations running WebKit-dependent enterprise applications across large iPhone and Mac deployments, the absence of a score is not a reason for delay: the combination of active exploitation claims, credential-theft potential, and a fix that depends on a manually enabled setting makes this a patch worth verifying by hand.