Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Medium

Apple Notification Services retained deleted notifications

IdentifiersCVE-2026-28950CWE-532

CVE-2026-28950 is a privacy and confidentiality flaw in Apple Notification Services affecting multiple supported iOS and iPadOS release branches. Apple describes the issue as a logging problem that was addressed with improved data redaction. The observable impact is that notifications marked for deletion could be unexpectedly retained on the device instead of being fully removed. Based on the vendor description and supporting reporting, notification content or previews could persist in local notification-related storage/logging after deletion events, creating unintended residual data exposure on the device.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation or abuse of this issue exposes residual notification data that users and applications expected to be deleted. The primary impact is confidentiality loss: sensitive notification content, including message previews or app-generated text, may remain recoverable from the device after deletion and potentially even after the originating app is removed. Public reporting linked the issue to forensic recovery of Signal notification content from a seized iPhone. There is no indication in the provided content of code execution, privilege escalation, or availability impact.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce notification exposure by limiting or disabling sensitive notification previews for high-risk applications, especially messaging apps. Use app and OS settings that show only minimal notification content, such as sender name only or no content, and consider disabling notifications entirely for highly sensitive workflows. These measures reduce residual data value but do not replace installing Apple's patched releases.

Remediation

Patch, then assume compromise.

Apply Apple's fixed releases on affected devices. The issue is fixed in iOS 15.8.8 and iPadOS 15.8.8, iOS 16.7.16 and iPadOS 16.7.16, iPadOS 17.7.11, iOS 18.7.8 and iPadOS 18.7.8, and iOS 26.4.2 and iPadOS 26.4.2. Verify installed versions through Settings > General > About or enterprise device management tooling. Prioritize patching devices used for sensitive communications.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
AppleIosoperating_system
AppleIpadosoperating_system
AppleIphone Osoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity42

Community discussion across Reddit, Mastodon, and other social sources.