Overview
- Apple released iOS and iPadOS 26.4.2 on Wednesday, fixing CVE-2026-28950 with “improved data redaction” after finding that notifications marked for deletion could still be stored on devices.
- Reporting tied the flaw to an FBI case where agents forensically pulled copies of incoming Signal messages from an iPhone’s notification database even after the app and chats were removed.
- The recovered data came from iOS’s local notification storage rather than Signal’s encrypted message store, and only incoming message previews were found because iOS renders and logs those alerts.
- Signal said the update fully addresses the problem and that installing it deletes any preserved notifications, while users can further reduce exposure by setting notification content to “Name Only” or “No Name or Content.”
- Apple did not say how widely the issue was exploited or how long data persisted, and privacy advocates warn that OS-level logs and lock-screen previews can expose sensitive details, including work messages and two-factor codes, if a device is seized.