Apple released out-of-band security updates (iOS 18.7.8 and iOS 26.4.2) to fix CVE-2026-28950, a bug where notifications marked for deletion were unexpectedly retained on the device. The fix uses improved data redaction. The update appears connected to a reported FBI case where deleted Signal messages were recovered from an iPhone's internal notification storage — even after Signal was uninstalled. Apple has not confirmed exploitation in the wild. Users can also mitigate exposure by configuring Signal's notification content settings to hide message content.
Table of contents
Related Articles:Sort: