Apple has released out-of-band security updates for iPhone and iPad devices to fix a Notification Services flaw that could allow notifications marked for deletion to remain stored on the device.
The bug, tracked as CVE-2026-28950, was fixed on April 22, 2026, in iOS 26.4.2 and iPadOS 26.4.2 and in iOS 18.7.8 and iPadOS 18.7.8.
“Notifications marked for deletion could be unexpectedly retained on the device,” reads the Apple security bulletin.
Apple says the flaw was fixed through improved data redaction but provided no additional information.
However, the company has not said whether the flaw was exploited in attacks or why it was addressed outside the normal security update cycle. Apple also did not share technical details about how long notification data remained on the device or how it could potentially be recovered.
While Apple has not explained why it released this emergency update, recent reporting by 404 Media described how the FBI recovered copies of Signal messages from a suspect’s iPhone, even after they had been deleted in the app.
According to trial notes published by supporters of the defendants, the recovered data did not come from Signal’s encrypted message store, but instead from iPhone’s notification storage.
“Messages were recovered from Sharp’s phone through Apple’s internal notification storage — Signal had been removed, but incoming notifications were preserved in internal memory,” the notes state.
404 also reported the notification data was retained even after Signal was deleted from the device.
Apple’s advisory does not reference the case, but its description of notifications being retained on the device closely aligns with the type of data persistence described in that report.
Users are advised to install the latest updates as soon as possible to prevent deleted notification data from being unexpectedly retained on their devices.
Furthermore, it is possible to prevent Signal message content from being retained in the iOS notification data storage by going to Signal Settings > Notifications> Notification content and setting Show to “Name Only” or “No Name or Content”.
BleepingComputer contacted Apple with questions about these updates, but has not yet received a response.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
Claim Your Spot
