Overview
- Apple, which pushed out iOS and iPadOS 26.4.2 and 18.7.8 on Wednesday, said the updates fix CVE-2026-28950 by improving data redaction in Notification Services.
- The bug let notifications marked for deletion stay in the phone’s notification database, leaving readable previews of incoming messages even after chats disappeared or an app was removed.
- Signal confirmed the fix and linked it to a case where the FBI forensically recovered incoming Signal previews from an iPhone’s local notification storage after the app was deleted.
- Apple has not said how long notification data lingered or how widely this was used, and experts note recovery typically needs physical device access and specialized forensic tools.
- Users should install the update and can further cut exposure by setting apps like Signal to show “Name Only” or “No Name or Content” in notifications, which limits what the OS can cache.