Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
endpoint-software-vulnerabilitywidely-deployed-product-advisoryprivacy-surveillance-policy

Apple fixes iPhone and iPad flaw that retained deleted notification data

Updated 2d agoFirst seen Apr 22, 202617 sources

Apple released out-of-band updates for iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8, and iPadOS 18.7.8 to fix CVE-2026-28950, a privacy flaw in Notification Services that could cause notifications marked for deletion to remain stored on affected iPhones and iPads. Apple said the issue was caused by a logging problem and was resolved through improved data redaction, affecting supported devices across both current and older OS branches.

Apple did not say whether the bug had been exploited or why the fix was issued outside the normal release cycle, but government guidance from the Canadian Centre for Cyber Security urged users and administrators to apply the updates. Reporting on the patch noted similarities to a recent case in which investigators reportedly recovered Signal message content from an iPhone's internal notification storage after the app had been deleted, though Apple has not publicly connected the update to that incident.

Share:
Apple fixes iPhone and iPad flaw that retained deleted notification data
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

4 events from the most recent confirmed update back to the earliest known activity.

4 EVENTS
Apr 23, 20262mo ago

Signal confirms CVE-2026-28950 was tied to FBI-accessed Signal notifications

On 2026-04-23, Signal confirmed that CVE-2026-28950 was the same Apple Notification Services flaw implicated in reporting that the FBI accessed retained Signal notification content from a suspect's iPhone after the app had been deleted. Signal also said the Apple patch removes inadvertently preserved notifications and advised users to limit notification preview content to reduce exposure.

Apple fixes iPhone bug that let FBI retrieve deleted Signal messages(CVE-2026-28950) - Help Net Security
Apr 22, 20262mo ago

Canadian Centre for Cyber Security urges users to apply Apple updates

Later on April 22, 2026, the Canadian Centre for Cyber Security issued advisory AV26-381 referencing Apple's iOS and iPadOS security updates. It advised users and administrators to review Apple's documentation and install the necessary updates for affected devices.

Apple publishes security advisories detailing the notification retention flaw

Apple published security notices for the affected iPhone and iPad releases, documenting CVE-2026-28950 and the impacted supported models. The advisories noted Apple's standard practice of withholding security issue details until investigations are complete and fixes are available.

Apple releases iOS and iPadOS updates for CVE-2026-28950

On April 22, 2026, Apple released iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8, and iPadOS 18.7.8 to fix CVE-2026-28950, a Notification Services privacy flaw that could cause notifications marked for deletion to be unexpectedly retained on the device. Apple said the issue was caused by a logging problem and was addressed through improved data redaction.

LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

28 LINKEDOpen in app
Affected products
10 linked
IpadosIpadIphoneIosSignalTor BrowserItunesIpad MiniIphone 11Macos
Organizations
17 linked
AppleArctic WolfBleepingComputerMalwarebytesBlackpoint CyberTechCrunchSANS InstituteSOC Prime404 MediaGoDaddyBlueskyZDNETGitHubForbesSignal MessengerArs TechnicaSignal Messenger, LLC
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.