Apple released an emergency security update for iPhones and iPads after discovering a serious flaw in the notification system. The problem allowed deleted messages to remain stored in the devices’ internal database, exposing content that should have been removed. The vulnerability, cataloged as CVE-2026-28950, affected users of encrypted messaging applications such as Signal. The company has made iOS 26.4.2 and iPadOS 26.4.2 available for newer devices, in addition to previous versions with iOS 18.7.8 and iPadOS 18.7.8.
Como the flaw compromised users’ privacy
The vulnerability resided in the iOS push notification service. Notificações marked for deletion remained stored locally for up to a month in some cases, even after the user deleted them. The problem became worse when devices had content preview activated on the lock screen, automatically saving the full text of messages in the internal database.
Investigadores managed to extract sensitive information using forensic tools, even when the application had been uninstalled and messages were set to disappear automatically. The case gained visibility after a report revealed the use of the technique in a legal case involving Estados Unidos, leading Apple to act quickly to correct it.
Dispositivos Supported Security Update
- iPhone 11 and newer models receive iOS 26.4.2
- iPad Pro from 3rd generation 12.9 inches
- iPad Air 3rd generation onwards
- 8th generation iPad and 5th generation iPad mini
The distribution in two main versions reflects Apple’s strategy of maintaining support for older devices. Usuários with compatible devices should install the update as soon as possible to close the security gap.
What changes with the implemented fix
The update adds a step to correctly remove notification logs in the operating system. Antes of the fix, the deletion process did not completely clear the internal history, leaving accessible traces. Agora, the implementation includes proper redaction of information, ensuring that deleted notifications do not remain in the database.
Signal confirmed that installing the patch resolves the issue for both past and future messages. Updated Dispositivos no longer retains deleted notifications, strengthening privacy in encrypted messaging apps. The company did not detail the exact reason for the urgency in the official statement, but the timing followed public reports about data extraction in forensic investigations.
Medidas additional recommended privacy protection
Especialistas in security suggest additional adjustments in addition to the mandatory update. Desativar content preview in sensitive application notifications significantly reduces what is saved locally, even with the bug fixed. Usuários must check the settings of each messenger and communication application.
Manter device updated whenever new security versions are released is essential. Apple tends to release isolated patches for critical issues, without waiting for major updates. In the current case, the response was quick after the public exposure of the problem by the security community and Electronic Frontier Foundation.
Impacto for secure communication application users
Muitos users trust platforms like Signal specifically for the automatic disappearance of messages. The previous flaw created a significant hole in this privacy model, allowing authorities to access content that should have been permanently removed. With the patch, the expected behavior returns to full effect, closing a critical vector of data exposure.
Usuários must restart their devices after installing the update to ensure the patch is fully applied. The update does not bring any new interface or additional features, maintaining the full focus on security and privacy.