CVE-2026-28950 — a Notification Services flaw that let deleted alerts persist on devices — was fixed by Apple in an emergency update that the company shipped this week.
CVE-2026-28950: Apple patches iOS 26.4.2 and iPadOS 26.4.2
Apple released emergency updates addressing a Notification Services vulnerability tracked as CVE-2026-28950. The fixes are included in iOS 26.4.2 and iPadOS 26.4.2, and Apple also backported patches to older supported releases, including iOS 18.7.8 and iPadOS 18.7.8. According to Apple, the bug stemmed from a logging issue that allowed notifications marked for deletion to persist; the company says it has implemented improved data redaction to resolve the problem.
Apple noted the vulnerability impacted a broad range of iPhones and iPads, explicitly including iPhone 11 and later devices. The vendor did not confirm whether the flaw had been exploited in the wild, did not explain why notification content had been retained, and did not say when the issue had been introduced.
Forensic recovery of deleted Signal messages via notification cache
The update followed reporting that forensic investigators recovered deleted Signal messages from an iPhone by accessing stored notification data rather than the app itself. 404 Media reported that message content remained available even after the app was removed because notifications had been cached in system storage. Apple did not reference that case directly in its advisory, but the company’s description of the behavior reflects the same pattern: notifications that were intended to be deleted remained accessible because they were retained in system logs or caches.
Signal’s reaction and the Electronic Frontier Foundation’s warning
Signal publicly welcomed Apple’s prompt patching. In an X post on Wednesday, Signal said: "We're grateful to Apple for the quick action here, and for understanding and acting on the stakes of this kind of issue. It takes an ecosystem to preserve the fundamental human right to private communication."
The Electronic Frontier Foundation cautioned that notifications can expose metadata or unencrypted content depending on how they are implemented. Apple’s advisory — and the 404 Media reporting that prompted attention to the issue — highlight how system-level features such as notification storage and logging can introduce privacy risks even when applications themselves use end-to-end encryption.
User mitigation: notification previews, updates, and settings review
- Set notification previews to "Name Only" or disable message content to reduce the amount of text that can be captured by system notifications.
- Install the latest OS updates promptly — Apple has released patches for current and older supported versions to address CVE-2026-28950.
- Review notification settings for sensitive apps and consider limiting which apps are permitted to show content in notifications or to create persistent notification entries.
How technologists, policymakers, and end users are likely to respond
Technologists and security teams will need to scrutinize system-level logging and notification handling as part of device security assessments, since the vulnerability arose outside the messaging app itself and in platform logging behavior.
Policymakers and regulators concerned with privacy will note that platform features can undermine application-level protections; the episode underscores the distinction between encrypted message transport and what the operating system logs or displays in notifications.
End users and the general public should treat the update as immediate: installing the patches and adjusting notification preview settings are practical steps to reduce exposure while vendors and investigators assess whether any data was actually accessed.
Apple’s emergency patch for CVE-2026-28950 closes the technical hole that allowed deleted notifications to persist, and Signal’s public endorsement underscores the stakes for private messaging ecosystems. What remains unresolved in Apple’s advisory is whether anyone exploited the retained data and for how long copies could have been accessible — a narrow but consequential gap that leaves the question of retrospective exposure unanswered even as devices are brought up to date.
Original story: https://www.infosecurity-magazine.com/news/apple-ios-notification-bug-deleted/




