Apple has launched out-of-band safety updates for iPhone and iPad gadgets to repair a Notification Companies flaw that would permit notifications marked for deletion to stay saved on the gadget.
The bug, tracked as CVE-2026-28950, was mounted on April 22, 2026, in iOS 26.4.2 and iPadOS 26.4.2 and in iOS 18.7.8 and iPadOS 18.7.8.
“Notifications marked for deletion might be unexpectedly retained on the gadget,” reads the Apple safety bulletin.
Apple says the flaw was mounted by improved knowledge redaction however supplied no further info.
Nevertheless, the corporate has not stated whether or not the flaw was exploited in assaults or why it was addressed exterior the traditional safety replace cycle. Apple additionally didn’t share technical particulars about how lengthy notification knowledge remained on the gadget or the way it may probably be recovered.
Whereas Apple has not defined why it launched this emergency replace, latest reporting by 404 Media described how the FBI recovered copies of Sign messages from a suspect’s iPhone, even after that they had been deleted within the app.
In response to trial notes revealed by supporters of the defendants, the recovered knowledge didn’t come from Sign’s encrypted message retailer, however as an alternative from iPhone’s notification storage.
“Messages had been recovered from Sharp’s cellphone by Apple’s inner notification storage — Sign had been eliminated, however incoming notifications had been preserved in inner reminiscence,” the notes state.
404 additionally reported the notification knowledge was retained even after Sign was deleted from the gadget.
Apple’s advisory doesn’t reference the case, however its description of notifications being retained on the gadget carefully aligns with the kind of knowledge persistence described in that report.
Customers are suggested to put in the most recent updates as quickly as doable to forestall deleted notification knowledge from being unexpectedly retained on their gadgets.
Moreover, it’s doable to forestall Sign message content material from being retained within the iOS notification knowledge storage by going to Sign Settings > Notifications> Notification content material and setting Present to “Title Solely” or “No Title or Content material”.
BleepingComputer contacted Apple with questions on these updates, however has not but obtained a response.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of latest exploits is coming.
On the Autonomous Validation Summit (Might 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls maintain, and closes the remediation loop.
