Apple has released a special security update for iOS 26.3.1, iPadOS 26.3.1, and macOS Tahoe 26.3.1 (or 26.3.2). This ‘Background Security Improvements’ with version number 26.3.1 (a) fixes a critical WebKit issue and will normally install automatically.
This is the very first public version of these background updates, which Apple introduced in Software Updates 26 to enable quick security fixes between major updates. Although the installation normally takes place automatically, the update has not yet been carried out on many devices after a few days. You can check whether you still need to install the update manually.
Security updates are performed automatically
Security improvements are automatically installed in the background when the ‘Install automatically’ option is enabled. This option is enabled by default when installing iOS 26, iPadOS 26, and macOS 26, and it is recommended that you do not disable it. Users who do not use automatic installation will receive the patch later through regular updates.
Security update settings
Security Update, unlike traditional updates, is in a different location in the settings. Follow the steps below to check if your iPhone, iPad or Mac automatically installs these updates and run them manually if necessary.
- Open Settings on your iPhone or iPad
- Navigate to ‘Privacy and security’
- Tap ‘Background security improvements’
- Enable the ‘Install automatically’ option
On a Mac, you can check this by going to ▸ System Settings ▸ Privacy & Security ▸ Background Security Enhancements ▸ Install Automatically.
Manually install security update
Follow the steps above to view security update settings. If an update is available, you can install it manually by clicking the ‘Install’ button. If you don’t, the update will be installed automatically at a later date or with the next major update.
What does iOS 26.3.1 (a) fix?
The update fixes a vulnerability in WebKit’s Navigation API, the engine behind Safari and other iOS browsers. Malicious web content could bypass security, posing a risk; this has been addressed with better input validation. Apple named the issue CVE-2026-20643, discovered by Thomas Espach. There are no new features, just this specific patch for iOS, iPadOS and macOS 26.3.1 users.