Your iPhone and Mac might have updated overnight. Here’s why

Apple has released an update to iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2 (currently a MacBook Neo-only version). The update is part of Apple’s Background Security Improvements feature in its newest operating systems, which used to be called Rapid Security Responses. The update doesn’t appear in Software Update.

According to an Apple support document, the update contains a single fix for a WebKit vulnerability (WebKit is the engine used by Safari and other software with web access). The vulnerability involves WebKit’s same-origin policy, which is a mechanism that manages how data is used based on the origin of a website. A malicious user could figure out a way to bypass WebKit’s SOP, but the update fixes that. The vulnerability was documented as CVE-2026-20643 in the Common Vulnerabilities and Exposures database.

The update has been labeled iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a) by Apple. It appears in Settings/System Settings > Privacy & Security > Background Security Improvements, and you can manually install it here if it hasn’t been installed already. If you’ve opted to automatically install regular software updates, Background Security Improvements will also be set to automatically install, but you can change the toggle here as well.

Adam Boynton of Jamf, a software company specializing in device management and security, issued a statement regarding the update: “For organizations, it’s crucial to ensure this update is issued immediately, as any postponements will leave devices and operations vulnerable. More importantly, users should set updates to be issued automatically, so there’s no window for attackers to exploit.”

Background Security Improvements are updates that Apple issues between its regular update cycle. They are usually security patches that Apple wants to issue immediately without waiting weeks or months for a regular software update.