Urgent iOS security patch
- Apple released iOS 26.4.2 and iPadOS 26.4.2 as security updates focused on privacy and logging fixes. - The update fixes a flaw where deleted notifications were retained in system logs and reportedly exploited by the FBI. - The bug underscores ongoing platform validation work and the need for coordinated software fixes alongside hardware feature rollouts (support.apple.com).
Apple pushed iOS 26.4.2 and iPadOS 26.4.2 on April 22 to fix a bug that could keep “deleted” notifications stored on an iPhone or iPad. (support.apple.com) Notifications are the pop-up previews apps send to the lock screen and notification center. Apple said the flaw was in Notification Services and affected iPhone 11 and later, plus recent iPad Pro, iPad Air, iPad, and iPad mini models. (support.apple.com) Apple’s security note says notifications “marked for deletion could be unexpectedly retained on the device,” and that it fixed the issue with “improved data redaction,” which means hiding or stripping sensitive text from logs. (support.apple.com) That matters because notification previews can contain message text from apps that are supposed to erase chats after they are read or after a timer runs out. TechCrunch reported the bug let law enforcement using forensic tools recover messages that had been deleted or set to disappear. (techcrunch.com) 404 Media reported earlier this month that Federal Bureau of Investigation agents extracted incoming Signal messages from an iPhone’s push-notification database in a Texas criminal case, even after the app had been deleted. The outlet said the case involved an attack at the Immigration and Customs Enforcement Prairieland Detention Facility in Alvarado, Texas, in July 2025. (404media.co) Apple did not describe any active attacks in its bulletin, and its standard language says it does not discuss security issues until patches are available. Outside reports tied the fix to the Federal Bureau of Investigation’s use of forensic extraction tools rather than to remote hacking of phones over the internet. (support.apple.com) (404media.co) The patch also landed for older devices on iOS 18.7.8 and iPadOS 18.7.8, according to reports tracking Apple’s release. BleepingComputer identified the flaw as CVE-2026-28950 and described the update as an out-of-band security release, meaning Apple shipped it outside its regular feature cadence. (bleepingcomputer.com) Apple released iOS 26.4 last month with broader changes to the platform, and 26.4.2 arrived two days after the company published its security note for the fix. The immediate step for users is simple: install the latest update so notification data marked for deletion is no longer left behind in system logs. (support.apple.com 1) (support.apple.com 2)
