Apple released iOS 26.4.2 and iPadOS 26.4.2 on April 22, 2026, to patch a critical notification privacy vulnerability that allowed law enforcement to extract Signal message content from iPhones — even after the app had been deleted.
The flaw, tracked as CVE-2026-28950, stems from a logging issue in Apple’s notification services. Notifications marked for deletion were unexpectedly retained on the device, potentially leaving sensitive message previews to persist long after users believed they had been wiped. Apple addressed the root cause through improved data redaction in its logging framework.
The vulnerability gained public attention after investigative outlet 404 Media reported that the FBI had successfully extracted Signal message notification content from a suspect’s iPhone during a criminal investigation, despite Signal being uninstalled from the device. The retained notification previews provided enough readable content to be forensically valuable to investigators.
Signal Praises Apple’s Swift Response
Signal acknowledged the patch publicly, praising Apple for acting quickly after the disclosure. In a post on X, the encrypted messaging platform confirmed that the update not only prevents future notifications from lingering for deleted apps but also automatically clears previously retained notification data on affected devices.
We are very happy that today Apple issued a patch and a security advisory. This comes following @404mediaco reporting that the FBI accessed Signal message notification content via iOS despite the app being deleted.
Apple’s advisory confirmed that the bugs that allowed this to…— Signal (@signalapp) April 22, 2026
This is particularly significant given Signal’s reputation as a gold-standard privacy tool. The fact that iOS’s own notification infrastructure could inadvertently undermine Signal’s end-to-end encryption at the OS level highlights the complexity of securing a full device privacy stack.
The update applies to a broad range of Apple hardware:
iPhone 11 and later
iPad Pro 12.9-inch (3rd generation and later), 11-inch (1st generation and later)
iPad Air 3rd generation and later
iPad 8th generation and later
iPad mini 5th generation and later
Users on older devices can apply the same fix via iOS 18.7.8 and iPadOS 26.4.2.
Build 23E261, approximately 670–770 MB, is available now. Navigate to Settings > General > Software Update to install the patch immediately.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Apple Fixes Notification Privacy Flaw That Allowed FBI to Access Deleted Signal Messages appeared first on Cyber Security News.
