Apple patches iPhone notification bug after reports of deleted data recovery

As reported by Bleeping Computer, Apple has issued out-of-band security updates for iPhone and iPad devices to address a vulnerability in its notification services. This flaw could lead to notifications that were intended to be deleted being unexpectedly retained on the device.

The vulnerability, identified as CVE-2026-28950, was patched on April 22, 2026, in iOS 26.4.2 and iPadOS 26.4.2, as well as in iOS 18.7.8 and iPadOS 18.7.8. Apple stated the fix was implemented through improved data redaction. While Apple has not confirmed if the flaw was actively exploited, the update follows reports from 404 Media detailing how the FBI recovered deleted Signal messages from an iPhone. These messages were reportedly retrieved not from Signal's encrypted storage, but from the iPhone's notification storage, persisting even after the Signal app was removed.

This incident highlights potential privacy concerns regarding data persistence on mobile devices, even after user-initiated deletion. While Apple has not linked the update to specific exploits or legal cases, the timing suggests a response to emerging methods of data recovery. Users are advised to install the latest updates to mitigate the risk of deleted notification data being retained. Furthermore, users of privacy-sensitive applications like Signal can configure notification settings to limit the content displayed, reducing the data stored in notification logs.

Source: Bleeping Computer