CUPERTINO, California, January 2026 — Apple has rolled out its first “background security improvement” for macOS, iOS, and iPadOS, a new class of update that delivers critical security fixes without requiring a full system restart or user interaction.
The update, labeled as a Rapid Security Response (RSR) rather than a traditional point release, patches a zero-day vulnerability in the WebKit browser engine that was actively exploited in the wild.
It applies automatically in the background on devices running iOS 18.3, iPadOS 18.3, and macOS Sequoia 15.3 or later, provided automatic updates are enabled.
Apple introduced the RSR mechanism in 2024 as part of its ongoing effort to close security gaps faster. Unlike conventional updates, RSRs install silently, require no reboot in most cases, and can be reversed easily if issues arise.
The company has committed to using this channel for high-severity vulnerabilities that cannot wait for the next scheduled software release.
In a brief security content statement, Apple confirmed the fix addresses a WebKit flaw (CVE-2026-XXXX) that could allow arbitrary code execution when processing malicious web content. The update also includes hardening measures against similar exploits.
Users with automatic updates enabled received the patch without notification. Those who disabled automatic updates or run older software versions are urged to install the latest point release manually to receive the protection.
The release follows a string of WebKit vulnerabilities exploited in targeted attacks against journalists, activists, and government officials. Apple has previously credited researchers and security firms for discovering the flaw.
No evidence indicates the vulnerability was used in widespread attacks, but Apple classified it as actively exploited prior to patching.
The update is available now through System Settings on macOS and Settings > General > Software Update on iOS and iPadOS.
