Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages: CVE-2026-28950 (CVSS N/A)

Introduction

Apple released software updates for iOS and iPadOS to address a flaw in its Notification Services. This vulnerability, tracked as CVE-2026-28950, caused notifications marked for deletion to remain on affected devices. While the Common Vulnerability Scoring System (CVSS) score for this issue has not been publicly assigned, it affects user privacy and data security.

The fix comes weeks after reports detailed how the U.S. Federal Bureau of Investigation (FBI) used this data retention to forensically extract copies of incoming Signal messages from a defendant's iPhone. This extraction happened even after the Signal application had been deleted, by accessing content stored in the device's push notification database. This issue shows that data, even temporary notifications, can persist on a device and be recovered.

This incident shows challenges in securing communication platforms, especially regarding how underlying operating systems handle data. It reminds security professionals and business leaders of the interaction between application-layer encryption and system-level data storage, showing the need for complete breach detection strategies and cyber threat intelligence platform features that address vulnerabilities across the entire technology stack.

What is CVE-2026-28950 and why is it critical?

CVE-2026-28950 is a logging flaw in Apple's iOS and iPadOS Notification Services that caused notifications marked for deletion to remain on the device. Apple states it addressed this issue with improved data redaction. The flaw is important because it can expose sensitive user data, even from applications designed for privacy, like Signal, if someone gains physical access to a device.

The vulnerability affects many Apple devices and operating system versions. The technical detail is how the operating system's notification database stored content, creating persistent records that should have been deleted. This behavior bypassed deletion mechanisms, creating a forensic artifact accessible by specialized tools.

The affected devices fall into two primary update paths:

  • Fixed in iOS 26.4.2 and iPadOS 26.4.2:
  • iPhone 11 and later
  • iPad Pro 12.9-inch 3rd generation and later
  • iPad Pro 11-inch 1st generation and later
  • iPad Air 3rd generation and later
  • iPad 8th generation and later
  • iPad mini 5th generation and later
  • Fixed in iOS 18.7.8 and iPadOS 18.7.8:
  • iPhone XR, iPhone XS, iPhone XS Max
  • iPhone 11 (all models)
  • iPhone SE (2nd generation)
  • iPhone 12 (all models)
  • iPhone 13 (all models)
  • iPhone SE (3rd generation)
  • iPhone 14 (all models)
  • iPhone 15 (all models)
  • iPhone 16 (all models), iPhone 16e
  • iPad mini (5th generation - A17 Pro)
  • iPad (7th generation - A16)
  • iPad Air (3rd - 5th generation)
  • iPad Air 11-inch (M2 - M3)
  • iPad Air 13-inch (M2 - M3)
  • iPad Pro 11-inch (1st generation - M4)
  • iPad Pro 12.9-inch (3rd - 6th generation)
  • iPad Pro 13-inch (M4)

This long list of affected devices shows the vulnerability is widespread within the Apple ecosystem. For organizations, this shows the need for complete supply-chain risk monitoring to understand how platform-level vulnerabilities might affect their hardware and software.

Exploitation and Impact

The FBI demonstrated CVE-2026-28950 when it successfully extracted Signal messages from a defendant's iPhone. This forensic extraction was possible because copies of incoming Signal messages were inadvertently saved in the device's push notification database, even after the user deleted the Signal app. The case was linked to an attack on the Prairieland ICE detention center facility, showing a real-world situation where this flaw could provide important information.

The primary impact is a loss of data privacy, especially for users of encrypted communication applications who expect messages to be temporary or to exist only within the application's secure limits. If physical access to a device is gained, this vulnerability allowed recovery of data users thought was removed, bypassing the application's own security measures. This affects individuals whose physical devices might be seized, and organizations handling sensitive communications on mobile devices.

While this instance involved law enforcement, advanced threat actors with physical access or forensic capabilities could theoretically exploit the underlying mechanism of persistent notification data. The Electronic Frontier Foundation (EFF) commented on the wider effects of push notifications. They noted it is often difficult for users to determine what metadata or content might be gathered from notifications, or if they are unencrypted. This uncertainty creates a blind spot for privacy and security. Organizations relying on secure mobile communications must account for such system-level data leakage. This requires services such as dark web monitoring service and underground forum intelligence to identify if similar exploits or data extraction techniques are discussed or traded by malicious entities. Monitoring channels like telegram threat monitoring could also provide early warnings if methods for using such vulnerabilities are shared among cybercriminal groups. This proactive monitoring is an important part of a complete cyber threat intelligence platform. Alerts for brand leaks also become relevant if sensitive internal communications are compromised and appear in illicit channels.

Mitigation and Patches

Apple addressed CVE-2026-28950 through software updates, improving data redaction within the Notification Services. The fix ensures notifications marked for deletion are no longer retained on the device. Users are advised to update their Apple devices to the latest iOS or iPadOS versions to apply this important patch.

Specifically, the vulnerability is fixed in:

  • iOS 26.4.2 and iPadOS 26.4.2 for newer devices.
  • iOS 18.7.8 and iPadOS 18.7.8 for a wider range of older, but still supported, devices.

Applying these updates is an essential step to reduce the risk associated with this flaw. Signal confirmed that its iOS users do not need to take any specific action within the application itself for the fix to be effective. Once the patch is installed, all inadvertently preserved notifications will be deleted, and no future notifications from deleted applications will be preserved. This collaborative approach to security, where platform vendors quickly address vulnerabilities, is important for maintaining user trust in secure communication tools. For more information on recent Apple security updates and the importance of timely patching, readers can review our earlier posts on an Apple zero-day in iOS and macOS and the subsequent urgent iOS and macOS update. More information on Apple's security improvements can be found in our discussion on Apple security improvements from March 18.

Beyond the system-level patch, users of applications like Signal also have options to improve their privacy configuration:

  • Navigate to the app's profile settings.
  • Select "Notifications."
  • Choose "Show."
  • Select "Name only" or "No name or message" to prevent message content from appearing in notifications.

These in-app settings do not address the underlying system flaw, but they offer a useful defense by limiting sensitive information that the operating system's notification service initially processes and may retain.

Technical Takeaways

  • CVE-2026-28950 is an iOS/iPadOS Notification Services logging flaw that retained deleted notifications.
  • The vulnerability allowed forensic recovery of sensitive communication data, even from end-to-end encrypted applications like Signal, when physical device access was achieved.
  • Apple released iOS 26.4.2/iPadOS 26.4.2 and iOS 18.7.8/iPadOS 18.7.8 to address the issue with improved data redaction.
  • The fix deletes previously retained notifications and prevents future retention for deleted applications.
  • This incident shows that strong application-level encryption must be complemented by secure operating system data handling practices to ensure complete privacy.