Apple staged staggered rollouts of emergency iOS patches to reach modern and legacy devices
- Apple on April 22 released iOS 26.4.2 and iOS 18.7.8, shipping the same emergency fix for a notifications logging flaw across current iPhones and older models still running the iOS 18 branch. - Apple said CVE-2026-28950 let notifications marked for deletion remain on a device; iOS 18.7.8 covered iPhone XR through iPhone 16e, while iOS 26.4.2 covered iPhone 11 and later. - The move followed Apple’s April 1 expansion of iOS 18.7.7 to more devices for automatic security delivery, showing a broader backporting push for older iPhones. (support.apple.com)
Apple split the same emergency iPhone fix across two software tracks on April 22: iOS 26.4.2 for newer devices and iOS 18.7.8 for older ones. (support.apple.com 1) (support.apple.com 2) Both updates patched CVE-2026-28950 in Notification Services. Apple said notifications marked for deletion could be unexpectedly retained on the device because of a logging issue. (support.apple.com 1) (support.apple.com 2) Apple described the fix the same way in both advisories: improved data redaction in logs. The affected feature matters because notifications can contain message previews, names, one-time codes, and other sensitive fragments. (support.apple.com 1) (support.apple.com 2) The device lists show why Apple used two branches. iOS 26.4.2 applies to iPhone 11 and later, while iOS 18.7.8 reaches back to iPhone XR, iPhone XS, and iPhone XS Max. (support.apple.com) (support.apple.com) That older branch now spans a wide installed base, including iPhone SE models from the second and third generations through the iPhone 16 line. Apple’s advisory for iOS 18.7.8 also covers a long list of older iPads. (support.apple.com) Apple had already widened that legacy channel earlier this month. In its March 24 advisory for iOS 18.7.7, Apple added a note saying availability was expanded on April 1, 2026, so users with Automatic Updates could receive DarkSword protections. (support.apple.com) Apple repeated that message in a separate April 14 support note telling users to update iOS to protect against web attacks. That page said devices with older iOS 18 versions would receive an additional alert to install a Critical Security Update. (support.apple.com) The pattern suggests Apple is treating iOS 18 as an active security rail, not just a maintenance branch for abandoned hardware. Apple’s own iOS 18 update history now lists versions through iOS 18.7.8. (support.apple.com) Apple’s main security releases page had still listed iOS 26.4.1 as the latest iPhone version when it was last crawled, a lag that can happen when support pages update at different times. The individual advisories for 26.4.2 and 18.7.8 are both dated April 22, 2026. (support.apple.com) (support.apple.com) (support.apple.com) The practical message is simple: Apple did not leave older iPhones waiting for the next major branch. It shipped the same notifications fix to both current and legacy devices on the same day. (support.apple.com) (support.apple.com)
