APPLE has released iOS/iPadOS 26.4.2 and iOS/iPadOS 18.7.8 to fix a single Notification Services vulnerability, CVE-2026-28950, which could cause notifications marked for deletion to be unexpectedly retained on the device, with a logging issue addressed by improved data redaction.
According to SANS[.]edu, Apple did not mark the vulnerability as exploited, but recent news articles reported that the FBI used this flaw to extract Signal messages from a device seized in a criminal case, noting that the suspect used Signal to communicate and that Signal is encrypted end-to-end. The article explains that Signal may display a notification on the screen when new messages arrive, and that these notifications may include the sender’s username and some message content.
It states that Signal used Apple’s Notification Services framework to generate these notifications, and that iOS did not delete their contents even when marked for deletion. The piece also cautions that the use of OS libraries and APIs can create a mismatch between threat models and secure messaging applications.