APPLE has rolled out iOS and iPadOS updates to patch a vulnerability that could allow deleted messages to be recovered, tracked as CVE-2026-28950. The fixes, in iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8 and iPadOS 18.7.8, address a logging issue that kept notifications marked for deletion on the device and improve data redaction across dozens of iPhone and iPad models, from iPhone XR and XS to iPhone 16 and 16e, and from 5th generation iPad mini to iPad Pro 13-inch (M4).
Apple did not share further details on CVE-2026-28950, nor did it indicate the defect had been exploited in the wild. However, it appears the vulnerability was used by law enforcement to extract Signal messages from an iPhone that had been set to disappear and with the messaging app uninstalled, with the FBI reportedly exploiting the notification issue.
Signal praised Apple's quick action to protect users’ privacy, noting that once the patch is installed, inadvertently-preserved notifications will be deleted and no further notifications will be preserved for deleted apps.