Apple has released iOS 26.4.2 and iPadOS 26.4.2 to patch a critical notification-privacy vulnerability that, according to investigative reporting, allowed the FBI to extract Signal message content from a suspect’s iPhone even after the Signal app had been deleted from the device. The update was pushed to users on April 22, 2026.
The Vulnerability: CVE-2026-28950
The flaw, tracked as CVE-2026-28950, is a logging issue in Apple’s notification services. Notifications that should have been cleared when a user deleted the originating app were unexpectedly retained on the device. Because many messaging apps render a preview of the incoming message inside the notification payload, those previews persisted long after users believed their data had been wiped. Apple addressed the root cause by improving data redaction in its notification logging framework.
How the Issue Was Discovered
The vulnerability became public after investigative outlet 404 Media reported that the FBI had successfully extracted Signal notification content from a suspect’s iPhone during a criminal investigation. Despite Signal having been uninstalled from the device, retained notification previews provided enough readable content to be forensically valuable. That revelation triggered a coordinated disclosure process between Signal and Apple, culminating in the release of this patch.
Signal Praises Apple’s Swift Response
Signal publicly acknowledged the fix, thanking Apple for acting quickly after disclosure. In a statement posted to X, the encrypted messaging platform confirmed that the iOS update not only prevents future notifications from lingering after an app is removed but also automatically clears previously retained notification data on affected devices.
The disclosure is particularly significant given Signal’s reputation as a gold-standard privacy tool. End-to-end encryption inside the app can still be undermined if the surrounding operating system preserves decrypted content in logs or cached surfaces. The incident underscores how device-level data residue can silently expose the plaintext that cryptographic protocols work so hard to protect.
What Devices Are Affected
The security update applies to a broad range of Apple hardware:
- iPhone 11 and later
- iPad Pro 12.9-inch (3rd generation and later) and 11-inch (1st generation and later)
- iPad Air 3rd generation and later
- iPad 8th generation and later
- iPad mini 5th generation and later
Users on older, unsupported devices can apply the same fix via iOS 18.7.8, released in parallel. Build 23E261 weighs in at approximately 670–770 MB depending on device.
Why This Matters for Privacy-Conscious Users
The vulnerability illustrates three important lessons for enterprise security teams, journalists, activists, and anyone who relies on encrypted messaging:
- Deleting an app does not guarantee deletion of its data. Notification history, system logs, and cached previews often persist elsewhere in the operating system.
- Law enforcement forensic capabilities continue to evolve. Modern mobile forensic tools can extract data from sources users rarely think about, including notification databases.
- Patching is non-negotiable. Organizations handling sensitive communications should mandate rapid rollout of operating system updates, especially those addressing privacy vulnerabilities.
How to Install the Update
Apple users can install the patch immediately by navigating to Settings > General > Software Update. Organizations managing fleets via MDM should push the update to enrolled devices as soon as possible, particularly those used in legal, medical, journalistic, or other high-sensitivity contexts.
The CVE-2026-28950 fix is a reminder that mobile privacy is a full-stack problem. Encrypted applications are only as private as the operating system underneath them, and transparency from both messaging vendors and platform owners remains critical.