Emergency iOS 26.4.2 and 18.7.8 released to fix a notification‑handling vulnerability
- Apple released iOS 26.4.2 and iOS 18.7.8 on April 22 to fix CVE-2026-28950, a Notification Services flaw that could keep notifications on an iPhone after users deleted them. - Apple said the bug was a logging issue and fixed it with improved data redaction; the same patch shipped for current iPhones on iOS 26 and older supported devices on iOS 18. - The update followed reporting that investigators accessed Signal notification content on a seized iPhone, turning a quiet logging bug into a privacy and law-enforcement issue. (support.apple.com)
Apple pushed emergency iPhone updates on April 22 to stop deleted notifications from lingering on devices. (support.apple.com 1) (support.apple.com 2) The fixes arrived as iOS 26.4.2 and iOS 18.7.8, and Apple assigned the bug CVE-2026-28950. Apple said notifications “marked for deletion could be unexpectedly retained on the device.” (support.apple.com 1) (support.apple.com 2) In plain terms, a push notification is the banner or preview text an app sends to the lock screen or Notification Center. If the phone keeps a copy after deletion, fragments of messages, one-time codes, calendar invites, or work alerts can remain in storage. (support.apple.com) (forbes.com) Apple’s advisory says the root problem was a logging issue, and the company fixed it with “improved data redaction.” That means the operating system changed how it strips or avoids storing sensitive notification content in internal records. (support.apple.com 1) (support.apple.com 2) The two version numbers exist because Apple is supporting two iPhone software tracks at once. iOS 26.4.2 is for iPhone 11 and later, while iOS 18.7.8 covers older supported models including iPhone XR, iPhone XS, and second-generation iPhone SE and newer. (support.apple.com) (support.apple.com) The bug drew wider attention after reporting tied the issue to a federal case in Texas, where investigators were said to have extracted Signal notification content from an iPhone. Forbes said the retained data aligned with details first reported by 404 Media. (forbes.com) (forbes.com) Signal publicly welcomed the patch after Apple shipped it. Forbes quoted Signal saying Apple had issued “a patch and a security advisory” after reporting that the Federal Bureau of Investigation accessed Signal message notification content through iOS even after the app was deleted. (forbes.com) Apple did not say the flaw was used in active attacks against the general public, and its security notes do not name any outside researcher. The company’s standard practice is to publish limited detail until patches are available broadly. (support.apple.com) (support.apple.com) For iPhone owners, the practical step is simple: install iOS 26.4.2 or iOS 18.7.8, depending on your device. Apple’s advisory makes clear the bug lived in Notification Services, not in one single app. (support.apple.com) (support.apple.com)
