Apple released out‑of‑band security updates for iPhone and iPad to fix a Notification Services flaw (CVE-2026-28950) that could allow notifications marked for deletion to remain stored on the device. The fixes—iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8 and iPadOS 18.7.8—use improved data redaction but Apple disclosed no technical details or whether the flaw was exploited, while reporting indicates retained notification data may have allowed recovery of Signal messages; users should install updates and consider changing Signal notification content to “Name Only” or “No Name or Content”. #CVE-2026-28950 #Signal
Keypoints
- Apple issued out‑of‑band patches for a Notification Services bug that could retain deleted notifications.
- The vulnerability is tracked as CVE-2026-28950 and was fixed in iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8 and iPadOS 18.7.8.
- Apple says the issue was addressed with improved data redaction but provided no exploitation or technical details.
- Reporting suggests the retained notification data may have enabled recovery of Signal messages from an iPhone’s notification store.
- Users should install the updates promptly and can reduce risk by changing Signal’s notification content to “Name Only” or “No Name or Content”.