Apple Pushes Unscheduled Security Updates for Notification Bug
Apple issued out-of-band security updates on April 22, 2026, targeting a flaw in its Notification Services that could cause notifications marked for deletion to remain stored on an iPhone or iPad. The vulnerability, tracked as CVE-2026-28950, was patched in iOS 18.7.8, iPadOS 18.7.8, iOS 26.4.2, and iPadOS 26.4.2.
According to Apple's security bulletin, the issue meant that "notifications marked for deletion could be unexpectedly retained on the device." The company says it resolved the problem through improved data redaction, though it stopped short of providing any deeper technical explanation.
What Apple Has — and Has Not — Disclosed
Apple has not confirmed whether CVE-2026-28950 was actively exploited in the wild, nor has it explained why this fix was delivered outside the normal security update schedule. The company also declined to clarify how long affected notification data could linger on a device or through what means it might be recoverable by a third party.
BleepingComputer contacted Apple with questions about the updates but had not received a response at the time of publication.
Connection to FBI Recovery of Signal Messages
Although Apple's advisory makes no mention of any specific case, the timing and description of the flaw closely mirror details reported by 404 Media regarding law enforcement's recovery of encrypted messages from a suspect's iPhone.
According to trial notes published by supporters of the defendants in that case, the FBI was able to recover copies of Signal messages even after they had been deleted within the app. Critically, the recovered data did not originate from Signal's encrypted message store. Instead, as the trial notes state:
"Messages were recovered from Sharp's phone through Apple's internal notification storage — Signal had been removed, but incoming notifications were preserved in internal memory."
404 Media further reported that the notification data persisted even after the Signal application itself had been fully deleted from the device — a detail that underscores the severity of the retention flaw described in Apple's bulletin.
Why This Matters for Privacy-Conscious Users
The implication of this bug is significant: even apps focused on secure, ephemeral communications — like Signal — could inadvertently leave traces of message content in Apple's notification storage layer, entirely outside the app's own data management controls. Users who believed their messages were gone after deletion may have been mistaken about the completeness of that removal.
This type of data persistence can be exploited not only by law enforcement with physical access to a device, but potentially by malicious actors who gain unauthorized access as well.
How to Reduce Notification Data Exposure in Signal
While installing the latest iOS or iPadOS update is the most direct remediation, users can take an additional step to minimize what Signal stores in iOS notification data going forward. Apple and security researchers advise adjusting Signal's notification settings as follows:
- Open the Signal app and navigate to Settings.
- Tap Notifications.
- Select Notification content.
- Change the Show setting to either "Name Only" or "No Name or Content".
Setting notification content to one of these restricted modes prevents the body of Signal messages from being included in iOS notification storage in the first place, significantly limiting what could be retained or recovered.
Recommendations
Apple is urging all iPhone and iPad users to install the latest available updates — iOS 18.7.8 / iPadOS 18.7.8 or iOS 26.4.2 / iPadOS 26.4.2 — as promptly as possible. Given that the bug allowed deleted notification data to persist unexpectedly, applying the patch is the most reliable way to ensure that future notifications are handled with proper data redaction.
The fact that Apple chose to release this fix outside its usual update cadence suggests the company considers the issue serious enough to warrant immediate attention, even if it has not publicly elaborated on the specific threat landscape driving that decision.
Source: BleepingComputer