On April 22, Apple released iOS 26.4.2 and iOS 18.7.8 to fix CVE-2026-28950, a bug in the Notification Services component that kept notifications marked for deletion stored on the device. The release came days after 404 Media published a report documenting how the FBI had extracted Signal messages from the internal notification database of an iPhone — including messages from an app the user had since deleted.
The problem
iOS maintains an internal database that records received notifications. Deleted notifications should have been removed from that record; a logging error kept them on the device instead. Apple describes the fix as “improved data redaction” and states that the update also retroactively removes fragments already retained on devices that install it.
Apple rated the impact as “low,” which reflects that exploiting the bug requires physical access to the device or a prior compromise. The forensic scenario — an authority with appropriate extraction tools — is precisely the context where this data becomes consequential.
What ends up in the notification database
iOS’s notification database stores alert text, titles, notification bodies, and sometimes additional payload data. This content comes from the APNs request your server sends to Apple, and from any modifications applied by a UNNotificationServiceExtension before display.
Data placed in the APNs payload does not only live in temporary device memory — it is written to a persistent database that, due to CVE-2026-28950, could survive the user deleting the notification. There is nothing to fix in app code; the patch is in the OS. But it is a concrete reminder about the lifecycle of data sent in alert.body, alert.title, and custom payload fields: it ends up on device in a more durable form than many developers assume.
Reducing the surface
The right pattern for apps handling sensitive content is to send a minimal APNs payload and use a UNNotificationServiceExtension to decrypt or enrich the content locally before display. That way the payload traveling over APNs contains no readable text, and whatever lands in the notification database is encrypted data rather than plaintext.
Signal follows this approach: the APNs payload itself does not contain message text. In the FBI case, the notification database reportedly still held preview data — an effect of CVE-2026-28950 retaining fragments even after the app had handled and dismissed the notification. Combining a minimal payload design with the fix now applied is more robust than payload design alone.
Devices covered
iOS 26.4.2 is available for iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later.
iOS 18.7.8 covers devices still on iOS 18 — iPhone XR, XS, XS Max, and all iPhone 11 and later models that have not upgraded to iOS 26. It is the second iOS 18 security backport in a month: the previous one, iOS 18.7.7, closed the DarkSword chain that strung together six bugs across WebKit and the kernel. CVE-2026-28950 is a different class of problem — not an active remote exploit, but a data retention error — and Apple chose to backport it anyway.
Worth watching: whether Apple will issue an equivalent update for macOS and watchOS, where Notification Services has a similar structure. Nothing has been announced for those platforms so far.
