Apple has put out emergency security updates to fix a serious WebKit flaw that makes iPhone, iPad, and Mac users vulnerable to advanced web-based attacks This article explores webkit flaw makes. . The flaw, known as CVE-2026-20643, could let harmful web content get around the browser's main security features, putting private user data at risk.

Apple sent the fix on March 17, 2026, using its Background Security Improvements system instead of the usual patches. Apple can send targeted security updates through this system without users having to install a full operating system upgrade. Details about the vulnerability The problem starts in Apple's WebKit engine's Navigation API, which is what powers Safari and other web-based apps on iOS, iPadOS, and macOS.

Security researcher Thomas Espach found the weakness and reported it. It is also tracked under WebKit Bugzilla ID 306050. Versions that are affected are iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and 26.3.2.

The flaw lets attackers take advantage of inputs that weren't checked properly when processing web content that was made just for them. Threat actors can get around the Same Origin Policy (SOP), which is a basic security feature of browsers, by doing this. The Same Origin Policy makes sure that web pages from different domains can't get to each other's data. It acts as a wall that keeps sensitive information like authentication tokens, cookies, and session data safe.

If this protection is not in place, attackers could: Get data from other websites that are open in the browser Get session tokens or login information by stealing them Do things for the user that they didn't give you permission to do For instance, a bad website could silently connect to another active session (like online banking or email) and steal private information without the user knowing. Apple's Fix and Delivery System Apple fixed the problem by adding better input validation checks to WebKit. These improvements stop harmful payloads from being processed in a way that breaks cross-origin rules.

This patch is part of Apple's Background Security Improvements system, which was made to quickly fix high-risk holes in important parts like: WebKit framework for the Safari browser Core libraries for the system This method lets Apple deal with active threats more quickly while causing the least amount of trouble for users. Devices running iOS 26.1, iPadOS 26.1, and macOS 26.1 or later have this feature turned on by default. Installs without making any noise and doesn't need a restart or a full OS upgrade Includes the ability to roll back if there are compatibility problems Apple can automatically remove a patch if it causes problems that weren't expected.

This will bring the device back to its previous stable state without any permanent damage. Users and admins should make sure that Background Security Improvements are turned on.

You can check this by going to: Settings > Privacy & Security > Improvements to Background Security To get protection quickly, you should keep the "Automatically Install" option on. If you turn off this feature, devices won't get important security patches until they are included in future OS updates. This makes them more vulnerable to known threats.

CVE-2026-20643 shows how browser-based attacks are getting more complicated and how important it is to quickly deploy patches. Apple's background update system is a step toward continuous security delivery, which helps keep users safe from new threats without getting in the way of normal device use. Set ZeroOwl as your favorite source in Google