"Notifications marked for deletion could be unexpectedly retained on the device," Apple said in an advisory.
Apple advisory and CVE-2026-28950
Apple has released software updates for iOS and iPadOS to remediate a Notification Services flaw tracked as CVE-2026-28950. The company described the problem as a logging issue and said it has been addressed with improved data redaction. The advisory lists the behavior plainly: notifications that had been marked for deletion could nonetheless be retained on the device. The published CVE carries a CVSS score of N/A in the advisory.
Affected devices and updated builds
Apple's advisory identifies two sets of devices and the corresponding fixes:
- iPhone 11 and later; iPad Pro 12.9-inch 3rd generation and later; iPad Pro 11-inch 1st generation and later; iPad Air 3rd generation and later; iPad 8th generation and later; and iPad mini 5th generation and later — Fixed in iOS 26.4.2 and iPadOS 26.4.2.
- iPhone XR, iPhone XS, iPhone XS Max, iPhone 11 (all models), iPhone SE (2nd generation), iPhone 12 (all models), iPhone 13 (all models), iPhone SE (3rd generation), iPhone 14 (all models), iPhone 15 (all models), iPhone 16 (all models), iPhone 16e, iPad mini (5th generation - A17 Pro), iPad (7th generation - A16), iPad Air (3rd - 5th generation), iPad Air 11-inch (M2 - M3), iPad Air 13-inch (M2 - M3), iPad Pro 11-inch (1st generation - M4), iPad Pro 12.9-inch (3rd - 6th generation), and iPad Pro 13-inch (M4) — Fixed in iOS 18.7.8 and iPadOS 18.7.8.
The advisory instructs users to apply the listed updates to ensure the inadvertent persistence of deleted notifications is remediated.
How the FBI used retained Signal notifications
The update follows reporting by 404 Media that the U.S. Federal Bureau of Investigation managed to forensically extract copies of incoming Signal messages from a defendant's iPhone, even after the Signal app was deleted. According to that reporting, the FBI exploited the fact that copies of message content had been saved in the device's push notification database. The underlying cause — why notification content was logged on the device in the first place — is not known; Apple’s fix and description point to a software bug as the likely explanation. The advisory also notes it is unclear when the issue was introduced and whether there have been prior cases in which such data may have been captured by authorities using forensic tools.
Signal, the EFF, and built-in notification controls
The episode highlighted existing Signal settings that control whether incoming messages show content in notifications. Signal notes users can navigate to profile > Notifications > Show and choose either "Name only" or "No name or message" to prevent message content from appearing in notifications. Signal posted guidance and a reassurance: "Note that no action is needed for this fix to protect Signal users on iOS," and added that once the patch is installed, "all inadvertently-preserved notifications will be deleted, and no forthcoming notifications will be preserved for deleted applications."
The Electronic Frontier Foundation framed the wider risk in terms of visibility and metadata: "For most app notifications, there's no simple way to easily figure out what metadata might be gleaned from a notification, or if the notification is unencrypted or not," the EFF said. The organization also recommended reconsidering whether an app should send notifications at all.
Signal praised Apple for the update in a separate statement: "We're grateful to Apple for the quick action here, and for understanding and acting on the stakes of this kind of issue. It takes an ecosystem to preserve the fundamental human right to private communication."
What this means for Signal users, the FBI, and privacy advocates
- Signal users: Installing the iOS/iPadOS updates will, according to Signal, remove inadvertently preserved notifications and prevent deleted apps from leaving preserved future notifications; users can also adjust Notification settings to limit message content in notifications.
- The U.S. Federal Bureau of Investigation: 404 Media's report demonstrates that forensic examination of a device's push notification database can yield message content even when an app has been uninstalled, a capability rooted in how the data was stored on the device before this patch.
- Privacy advocates and organizations like the EFF: The incident underscores the difficulty of assessing what metadata and content a notification might expose and bolsters calls to scrutinize notification behavior and platform-level data handling.
The immediate technical step has been taken: Apple pushed a fix described as improved data redaction and Signal and users have a path to reduce visible content in notifications. But the advisory leaves a pointed open question: because it is unclear when the logging behavior began, there remains uncertainty over whether prior forensic examinations may also have harvested preserved notification content. That uncertainty — and the public acknowledgement of a platform-level logging bug — is likely to drive continued scrutiny of how notifications are stored and how forensic tools interface with those stores.
https://thehackernews.com/2026/04/apple-patches-ios-flaw-that-stored.html




