GoKawiilApple has released out-of-band security updates for iPhone and iPad devices to fix a Notification Services flaw that could allow notifications marked for deletion to remain stored on the device.
The bug, tracked as CVE-2026-28950, was fixed on April 22, 2026, in iOS 26.4.2 and iPadOS 26.4.2 and in iOS 18.7.8 and iPadOS 18.7.8.
"Notifications marked for deletion could be unexpectedly retained on the device," reads the Apple security bulletin.
Apple says the flaw was fixed through improved data redaction but provided no additional information.
However, the company has not said whether the flaw was exploited in attacks or why it was addressed outside the normal security update cycle. Apple also did not share technical details about how long notification data remained on the device or how it could potentially be recovered.
While Apple has not explained why it released this emergency update, recent reporting by 404 Media described how the FBI recovered copies of Signal messages from a suspect's iPhone, even after they had been deleted in the app.
According to trial notes published by supporters of the defendants, the recovered data did not come from Signal's encrypted message store, but instead from iPhone's notification storage.
"Messages were recovered from Sharp's phone through Apple's internal notification storage — Signal had been removed, but incoming notifications were preserved in internal memory," the notes state.
404 also reported the notification data was retained even after Signal was deleted from the device.
Apple's advisory does not reference the case, but its description of notifications being retained on the device closely aligns with the type of data persistence described in that report.
... continue reading