Apple has released a software fix for iOS and iPadOS to address a flaw in the Notifications service that stores notifications marked for deletion on the device.
This vulnerability is tracked as CVE-2026-28950 (CVSS score: N/A) and is described as a logging issue that is resolved with improved data redacting.
“Notifications marked for deletion may unexpectedly remain on your device,” Apple said in the advisory.
This drawback affects the following devices:
iPhone 11 or later, iPad Pro 12.9 inch 3rd generation or later, iPad Pro 11 inch 1st generation or later, iPad Air 3rd generation or later, iPad 8th generation or later, iPad mini 5th generation or later – Fixed in iOS 26.4.2 and iPadOS 26.4.2 iPhone XR, iPhone XS, iPhone XS Max, iPhone 11 (all models), iPhone SE (2nd generation), iPhone 12 (all models), iPhone 13 (all models), iPhone SE (3rd generation), iPhone 14 (all models), iPhone 15 (all models), iPhone 16 (all models), iPhone 16e, iPad mini (5th generation – A17 Pro), iPad (7th generation – A16), iPad Air (3rd – 5th generation), iPad Air 11 inch (M2 – M3), iPad Air 13 inch (M2 -) M3), iPad Pro 11-inch (1st gen – M4), iPad Pro 12.9-inch (3rd – 6th gen), and iPad Pro 13-inch (M4) – Fixed in iOS 18.7.8 and iPadOS 18.7.8
The update comes weeks after 404 Media reported that the US Federal Bureau of Investigation (FBI) was able to forensically extract copies of Signal messages received from defendants’ iPhones, taking advantage of the fact that a copy of the content is stored in the device’s push notification database even after the app is deleted.
It’s unclear why the content of the notification was recorded on the device in the first place, but the latest update suggests it was a bug. However, it is unclear when this issue arose or if there were any previous instances in which authorities may have used forensic tools to collect such data.
While Signal already has an option to prevent the content of incoming messages from appearing in notifications, this development highlights how physical access to a device can facilitate the extraction of sensitive data from at-risk users.
“For most app notifications, there is no easy way to easily understand what metadata is collected from the notification or whether the notification is unencrypted,” the Electronic Frontier Foundation (EFF) said. “You might want to reconsider whether any app should send notifications in the first place.”
To prevent message content from appearing in notifications, users can go to their profile > Notifications > Display and select either “Name only” or “No name or message.”
“Please note that to protect Signal users on iOS, you do not need to do anything with this fix. Once you install the patch, any accidentally saved notifications will be removed and future notifications will no longer be saved for the removed application,” Signal said in a post to X.
“We are grateful to Apple for its quick action and for understanding and acting on the dangers of these types of issues. It takes an ecosystem to protect the fundamental human right to private communications.”
Source link
