Apple has rolled out a software program repair for iOS and iPadOS to deal with a Notification Companies flaw that saved notifications marked for deletion on the system.
The vulnerability, tracked as CVE-2026-28950 (CVSS rating: N/A), has been described as a logging subject that has been addressed with improved information redaction.
“Notifications marked for deletion could possibly be unexpectedly retained on the system,” Apple stated in an advisory.
The shortcoming impacts the next gadgets –
- iPhone 11 and later, iPad Professional 12.9-inch third technology and later, iPad Professional 11-inch 1st technology and later, iPad Air third technology and later, iPad eighth technology and later, and iPad mini fifth technology and later – Fastened in iOS 26.4.2 and iPadOS 26.4.2
- iPhone XR, iPhone XS, iPhone XS Max, iPhone 11 (all fashions), iPhone SE (2nd technology), iPhone 12 (all fashions), iPhone 13 (all fashions), iPhone SE (third technology), iPhone 14 (all fashions), iPhone 15 (all fashions), iPhone 16 (all fashions), iPhone 16e, iPad mini (fifth technology – A17 Professional), iPad (seventh technology – A16), iPad Air (third – fifth technology), iPad Air 11-inch (M2 – M3), iPad Air 13-inch (M2 – M3), iPad Professional 11-inch (1st technology – M4), iPad Professional 12.9-inch (third – sixth technology), and iPad Professional 13-inch (M4) – Fastened in iOS 18.7.8 and iPadOS 18.7.8
The replace comes weeks after a report from 404 Media that the U.S. Federal Bureau of Investigation (FBI) managed to forensically extract copies of incoming Sign messages from a defendant’s iPhone, even after the app was deleted, by profiting from the truth that copies of the content material had been saved within the system’s push notification database.
It is not identified why the notifications’ content material was logged within the system to start with, however the newest replace suggests it was a bug. That stated, it is unclear when this subject was launched, and if there have been prior circumstances the place such information could have been captured by authorities utilizing forensic instruments.
Whereas Sign already has an possibility to stop the content material of incoming messages from being displayed in notifications, the event highlighted how bodily entry to a tool can facilitate the extraction of delicate information from at-risk customers.
“For many app notifications, there is no easy option to simply work out what metadata could be gleaned from a notification, or if the notification is unencrypted or not,” the Digital Frontier Basis (EFF) stated. “It is also good to rethink whether or not any app needs to be sending you notifications to start with.”
To forestall the message content material from displaying in notifications, customers can navigate to their profile > Notifications > Present, and choose one of many following: “Identify solely” or “No title or message.”
“Notice that no motion is required for this repair to guard Sign customers on iOS,” Sign stated in a submit on X. “As soon as you put in the patch, all inadvertently-preserved notifications will likely be deleted, and no forthcoming notifications will likely be preserved for deleted purposes.”
“We’re grateful to Apple for the fast motion right here, and for understanding and appearing on the stakes of this type of subject. It takes an ecosystem to protect the elemental human proper to non-public communication.”
