Apple has released security updates for iPhone and iPad devices to address a vulnerability that allowed deleted message notifications to remain stored on devices. The issue, tracked as CVE-2026-28950, was fixed in iOS 26.4.2 and iPadOS 26.4.2, which the company published on April 22, 2026.

According to Apple’s security advisory, the flaw affected Notification Services and caused “notifications marked for deletion” to be “unexpectedly retained on the device.” The company stated that the issue stemmed from a logging problem and confirmed that it resolved the vulnerability through improved data redaction.

The update applies to a wide range of devices, including iPhone 11 and later models, as well as several iPad generations. Apple did not disclose further technical details about how long the data could persist or the exact mechanism that allowed recovery.

The patch follows public reporting that law enforcement accessed message content from the Signal app through iPhone notification storage. Independent outlet 404 Media reported that the FBI retrieved message data from a suspect’s device even after the app had been deleted and messages were set to disappear.

Court-related notes cited in that reporting stated:

“Messages were recovered from Sharp's phone through Apple's internal notification storage — Signal had been removed, but incoming notifications were preserved in internal memory.”

The recovered data did not originate from Signal’s encrypted message database. Instead, it came from cached notification previews stored at the operating system level. These previews remained accessible through forensic tools.

Apple’s advisory does not reference the case directly. However, its description of retained notifications aligns with the behavior outlined in the report.

Signal responds to patch and privacy risks

Signal confirmed that the newly released updates addressed the issue. In a public statement shared on X, the company said:

“Apple's advisory confirmed that the bugs that allowed this to happen have been fixed in the latest iOS release.”

The messaging platform emphasized that users do not need to take additional steps beyond installing the update.

“Note that no action is needed for this fix to protect Signal users on iOS. Once you install the patch, all inadvertently-preserved notifications will be deleted and no forthcoming notifications will be preserved for deleted applications.”

Signal also acknowledged Apple’s response to the issue, stating:

“We’re grateful to Apple for the quick action here, and for understanding and acting on the stakes of this kind of issue. It takes an ecosystem to preserve the fundamental human right to private communication.”

Encryption limits exposed by system-level data

The incident highlights a gap between application-level encryption and operating system data handling. Signal uses end-to-end encryption, which prevents access to message content within its own infrastructure. However, notification previews generated by the operating system can still expose fragments of those messages.

In this case, message previews stored in iOS notification caches remained available even after users deleted conversations or removed the application. The behavior created a secondary data trail outside the encrypted environment.

Apple has not stated whether the vulnerability was actively exploited beyond the reported case. The company also did not confirm whether the update was released outside its standard schedule due to urgency.

Limited technical disclosure from Apple

Apple maintains a policy of withholding detailed vulnerability information until patches are available. In this instance, the company provided only a brief description of the flaw and the fix. It attributed the issue to logging and stated that improved data redaction resolved it.

The advisory did not include information on how notification data was stored, how long it persisted, or whether additional safeguards have been implemented to prevent similar issues.

Apple also noted that it does not endorse or take responsibility for third-party products or external websites referenced in its documentation.

Broader implications for user privacy

The vulnerability drew attention because it affected deleted and disappearing messages, which users often associate with stronger privacy guarantees. The incident shows that system-level processes can retain data even when applications remove it.

Users who rely on disappearing messages or uninstall apps to limit data exposure faced a scenario where message content remained accessible in another form. The update removes that retained data and prevents future storage under the same conditions.

Signal previously suggested that users could limit notification exposure by adjusting settings to hide message content in notifications. This approach reduces the amount of readable data stored by the operating system.

Apple now advises users to install the latest updates to ensure that deleted notifications do not remain on their devices.

Playdate Bans Generative AI Content in Catalog as Policy Tightens | HODL FM NEWS
Playdate bans AI-generated art, music, and writing in Catalog submissions while still allowing disclosed AI coding, following Wheelsprung policy update.
hodl-post-imageHODL FM News: The Wildest Ride in the Crypto MarketAnastasiia G
hodl-post-image

Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that, despite the nature of much of the material created and hosted on this website, HODL FM operates as a media and informational platform, not a provider of financial advisory services. The opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice, HODL FM strongly recommends contacting a qualified industry professional.