Apple has rolled out a security update that appears to close a loophole tied to deleted Signal message previews on iPhones, a flaw that recently drew attention after being linked to a federal investigation.
The issue surfaced following court disclosures reported by 404 Media, where it was revealed that the FBI was able to retrieve Signal message content from an iPhone not through the app itself, but through iOS notification data. Even though Signal messages were configured to disappear and the app was later removed, incoming message previews had already been stored at the system level through iOS notifications.
What made this situation notable is how iOS handles notifications in the background. When apps display message previews on the Lock Screen, parts of that content can be temporarily stored within a local notification database. In this case, those entries were reportedly still accessible even after the original messages were deleted, creating a path for forensic tools to recover message previews.
Apple’s latest updates, iOS 26.4.2 and iOS 18.7.8, directly address this behavior. According to Apple’s security notes, a flaw in Notification Services caused notifications marked for deletion to be unexpectedly retained on the device. The fix introduces improved data redaction, which ensures deleted notification entries are properly cleared from local storage instead of persisting in the system.
Notification Services
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Notifications marked for deletion could be unexpectedly retained on the device
Description: A logging issue was addressed with improved data redaction.
CVE-2026-28950
Apple tracks the issue as CVE-2026-28950 and applies the fix across a wide range of supported iPhones and iPads. While Apple has not explicitly tied the patch to the Signal case, the timing aligns closely with public reporting around the vulnerability and its use in forensic access to notification data.
Signal messages themselves remain end-to-end encrypted, but this case highlights a separate layer of exposure that exists at the operating system level. Once message previews appear in notifications, they can temporarily exist outside the app’s security boundary. That is what made this bug relevant, even though Signal’s encryption was not compromised.
Signal and privacy researchers had previously pointed out that notification content should not persist after deletion, especially for disappearing messages. Signal also recommended limiting message preview content in notifications to reduce what can be exposed at the system level.
Apple’s patch now closes that gap by ensuring deleted notifications do not remain accessible on-device after removal, reducing the chance of forensic recovery through local storage.
