Apple released iOS 26.4.2 on April 22, 2026, to fix a flaw that could leave deleted notifications on users' phones and to scrub fragments left on devices before the repair.
In its update notes Apple said the release addresses a problem "where notifications marked for deletion could be unexpectedly retained on the device," and that it also fixes a logging issue with improved redaction. The company added that the update retroactively purges notification fragments that were stored on‑device before the fix.
The patch, tracked as CVE-2026-28950, targets an exploit that operated against the operating system's own notification logs. Signal, in a post on X on April 22, welcomed the move: "We are very happy that today Apple issued a patch and a security advisory. This comes following @404mediaco reporting that the FBI accessed Signal message notification content via iOS despite the app being deleted." Those public messages followed recent court testimony showing the FBI was able to access an internal notification database on an iPhone involved in a federal case in Texas.
Apple said the update covers all iPhones from 2019 onwards, including iPhone 11 and later models, the second‑generation and third‑generation iPhone SE, and all members of the iPhone 17 series, including iPhone 17e and iPhone Air. For older hardware, identical security patches are available through iOS 18.7.8 for iPhone XS, iPhone XS Max and iPhone XR.
Security researchers and users will note that iOS 26.4.2 is a follow‑up to an earlier patch this month: iOS 26.4.1, released earlier in April, fixed a bug that affected iCloud data syncing in select apps. MacRumors reported that Apple software engineers were testing iOS 26.4.2 and described it as a likely minor bug‑fix and security update; that site had said the release would likely arrive "either this week or next week." Forbes updated its coverage on April 23 with additional details after Apple published the patch.
The weight of the update is in two elements Apple described plainly: first, a change to how the system logs and redacts notification data; second, a retroactive purge of fragments that had already been retained on devices. Together those actions aim to close the avenue identified in CVE-2026-28950, an exploit that did not target third‑party apps but the device’s own notification architecture.
That combination is also the source of immediate friction. The public confirmation that the FBI accessed an internal notification database on an iPhone in a Texas federal case underlines why the bug mattered; it does not, however, explain how long fragments remained available on affected devices or how many devices were exposed. Signal’s X post framed the patch as a direct response to reporting that revealed access to notification content, and Apple’s retroactive purge acknowledges data persisted in the field, but the company has not published details about the scale of stored fragments or the timeline of access.
For most iPhone owners the practical takeaway is simple and immediate: update. Apple’s patch is available for the list of devices the company named, and identical security fixes have been distributed for older models through iOS 18.7.8. The advisory and Signal’s public response make clear that the vulnerability carried real risk to notification content, and Apple’s improved redaction and purge are designed to limit further exposure.
The unanswered question now is operational: how many devices retained notification fragments before the purge, and under what circumstances did investigators retrieve them from an internal database? The technical fix closes CVE-2026-28950; but the court testimony and Signal’s statement leave open the larger policy and forensic questions about access to on‑device notification logs and how long sensitive fragments were retained.
