Apple fixes iPhone flaw that let deleted notification content linger after apps were removed
5 min. read 
Published on
Apple has released iOS 26.4.2 and iPadOS 26.4.2 to fix a privacy flaw in Notification Services that could cause notifications marked for deletion to remain on the device. Apple says the bug, tracked as CVE-2026-28950, came from a logging issue and was fixed with improved data redaction.
The issue drew wide attention after 404 Media reported that the FBI was able to extract copies of incoming Signal message notifications from a suspect’s iPhone even after the Signal app had been deleted. The report said investigators recovered notification content from the device’s push notification database rather than from Signal itself.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
That distinction matters. Apple did not say Signal was broken, and nothing in Apple’s advisory suggests Signal’s end-to-end encryption failed. The problem sat at the iPhone notification layer, where message previews that should have disappeared could remain behind on the device.
What Apple fixed
Apple’s security advisory says the impact was straightforward: notifications marked for deletion could be unexpectedly retained on the device. The company fixed the issue in iOS 26.4.2 and iPadOS 26.4.2, both released on April 22, 2026.
Apple also shipped the same fix for older supported devices through iOS 18.7.8 and iPadOS 18.7.8 on the same day. That means users who are not on the latest major release still have a patch path available.
For current-generation devices, Apple says the update applies to iPhone 11 and later, plus supported iPad Pro, iPad Air, iPad, and iPad mini models. For older supported hardware, Apple lists devices such as iPhone XR, iPhone XS, iPhone XS Max, and later models under the iOS 18.7.8 advisory.
Why the Signal angle matters
Signal publicly welcomed the patch. In a post on X, the company said it was “very happy” Apple issued both a patch and a security advisory after reporting showed the FBI had accessed Signal notification content through iOS even after the app had been deleted.
Signal also said no user action is needed beyond installing Apple’s update, and added that the fix protects Signal users on iOS. Public reporting around the update also says the patch clears retained notification content going forward, though Apple’s own advisory stays focused on the vulnerability and fix rather than detailed cleanup language.
The bigger lesson is that private messaging apps can still leak sensitive content through operating system features like notifications if users allow previews on the lock screen or notification shade. In this case, the reported exposure involved incoming message previews preserved by iOS logging behavior, not decrypted chat history stored inside Signal.
What users should do now
Install the patch as soon as possible. Apple has already published the security content pages for iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8, and iPadOS 18.7.8, and all of them list CVE-2026-28950 under Notification Services.
If you handle sensitive communications, it also makes sense to review notification preview settings. Apple’s patch fixes the retention bug, but limiting how much message content appears in notifications can still reduce privacy exposure on a seized, lost, or shared device. This recommendation is an inference based on the fact that the reported recovery involved notification content rather than app content.
You can install the update by going to Settings > General > Software Update on your iPhone or iPad. Apple’s release notes do not mention a public CVSS score, and I did not find an official Apple statement confirming any specific package size or build number in the security advisory, so I have left those details out here.
Quick facts
| Item | Details |
|---|---|
| Vulnerability | CVE-2026-28950 |
| Affected component | Notification Services |
| Main issue | Notifications marked for deletion could remain on the device |
| Fixed in | iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8, iPadOS 18.7.8 |
| Release date | April 22, 2026 |
| Report that drew attention to the issue | 404 Media report on FBI recovery of Signal notification content |
What this means in practice
- The flaw did not mean Signal encryption failed. The reported exposure involved notification previews retained by iOS.
- Users on supported current devices should update to iOS 26.4.2 or iPadOS 26.4.2. Users on older supported hardware should update to iOS 18.7.8 or iPadOS 18.7.8.
- Privacy-conscious users should consider reducing notification preview visibility for sensitive apps even after patching. This is a sensible hardening step based on how the reported data was exposed.
FAQ
Apple fixed a Notification Services logging issue that could cause notifications marked for deletion to be unexpectedly retained on the device.
Public reporting says investigators recovered incoming Signal notification content from the iPhone’s push notification database, not from the Signal app after it was deleted.
Apple says iOS 26.4.2 and iPadOS 26.4.2 apply to iPhone 11 and later and a broad set of supported iPads, while iOS 18.7.8 and iPadOS 18.7.8 cover older supported iPhones and iPads including iPhone XR and iPhone XS-class devices.
Signal’s public statement says no additional action is needed beyond Apple’s fix to protect Signal users on iOS.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages