Apple fixes iPhone and iPad flaw that retained deleted notification data
Apple released out-of-band updates for iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8, and iPadOS 18.7.8 to fix CVE-2026-28950, a privacy flaw in Notification Services that could cause notifications marked for deletion to remain stored on affected iPhones and iPads. Apple said the issue was caused by a logging problem and was resolved through improved data redaction, affecting supported devices across both current and older OS branches.
Apple did not say whether the bug had been exploited or why the fix was issued outside the normal release cycle, but government guidance from the Canadian Centre for Cyber Security urged users and administrators to apply the updates. Reporting on the patch noted similarities to a recent case in which investigators reportedly recovered Signal message content from an iPhone's internal notification storage after the app had been deleted, though Apple has not publicly connected the update to that incident.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Signal confirms CVE-2026-28950 was tied to FBI-accessed Signal notifications
On 2026-04-23, Signal confirmed that CVE-2026-28950 was the same Apple Notification Services flaw implicated in reporting that the FBI accessed retained Signal notification content from a suspect's iPhone after the app had been deleted. Signal also said the Apple patch removes inadvertently preserved notifications and advised users to limit notification preview content to reduce exposure.
Canadian Centre for Cyber Security urges users to apply Apple updates
Later on April 22, 2026, the Canadian Centre for Cyber Security issued advisory AV26-381 referencing Apple's iOS and iPadOS security updates. It advised users and administrators to review Apple's documentation and install the necessary updates for affected devices.
Apple publishes security advisories detailing the notification retention flaw
Apple published security notices for the affected iPhone and iPad releases, documenting CVE-2026-28950 and the impacted supported models. The advisories noted Apple's standard practice of withholding security issue details until investigations are complete and fixes are available.
Apple releases iOS and iPadOS updates for CVE-2026-28950
On April 22, 2026, Apple released iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8, and iPadOS 18.7.8 to fix CVE-2026-28950, a Notification Services privacy flaw that could cause notifications marked for deletion to be unexpectedly retained on the device. Apple said the issue was caused by a logging problem and was addressed through improved data redaction.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
17 references tracked. Mallory keeps watching after this page renders.
Apple patches bug that exposed deleted Signal messages - Boing Boing
boingboing.net
Open sourceA week in security (April 20 - April 26) | Malwarebytes
malwarebytes.com
Open sourceApple corrige la faille qui a permis au FBI de lire des messages ...
zdnet.fr
Open sourceApple stops weirdly storing data that let cops spy on Signal chats - Ars Technica
arstechnica.com
Open sourceAbout the security content of iOS 26.4.2 and iPadOS 26.4.2 - Apple Support
support.apple.com
Open sourceApple fixes iOS bug that retained deleted notification data
bleepingcomputer.com
Open sourceFull Disclosure: APPLE-SA-04-22-2026-2 iOS 18.7.8 and iPadOS 18.7.8
seclists.org
Open sourceFull Disclosure: APPLE-SA-04-22-2026-1 iOS 26.4.2 and iPadOS 26.4.2
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


