Apple has released out-of-band security updates for iPhone and iPad devices to fix a Notification Services flaw that could allow notifications marked for deletion to remain stored on the device.

BleepingComputer

Apple released out-of-band security updates (iOS 18.7.8 and iOS 26.4.2) to fix CVE-2026-28950, a bug where notifications marked for deletion were unexpectedly retained on the device. The fix uses improved data redaction. The update appears connected to a reported FBI case where deleted Signal messages were recovered from an iPhone's internal notification storage — even after Signal was uninstalled. Apple has not confirmed exploitation in the wild. Users can also mitigate exposure by configuring Signal's notification content settings to hide message content.

Apple fixes iOS bug that retained deleted notification data