Apple’s iOS 26.4 and iOS 18.7.8 fix the same flaw, in Notification Services, where notifications marked for deletion could be unexpectedly retained on the device.
Apple iPhone
Update 10:45 a.m. EDT: This article, originally published at 03:47 a.m. EDT has been updated to include confirmation from Signal and expert commentary about the issue fixed in iOS 26.4.2 and iOS 18.7.8.
Apple has released iOS 26.4.2 and iOS 18.7.8, along with a warning to update your iPhone now. That’s because iOS 26.4 and iOS 18.7.8 fix a single security vulnerability in the iPhone software, which could be pretty serious.
Apple doesn’t provide much detail about what’s fixed in iOS 26.4.2 and iOS 18.7.8, to allow as many users to upgrade before attackers can get hold of the details. But it does reveal that iOS 26.4 and iOS 18.7.8 fix the same flaw, in Notification Services, where notifications marked for deletion could be unexpectedly retained on the device, according to Apple’s support page.
Tracked as CVE-2026-28950, it seems the issue was released as an emergency update for a reason. It appears to be the same vulnerability used by the FBI to extract copies of incoming Signal messages from a defendant’s iPhone due to copies of the content being saved in the push notification database, first reported by 404 Media.
While Apple doesn’t comment on the details of the fixes in iOS 18.7.8 and iOS 26.4.2, Bleeping Computer points out that “its description of notifications being retained on the device closely aligns with the type of data persistence described in that report.”
I have asked Apple to comment and will update this article if the iPhone maker responds.
Signal Confirms iOS 26.4.2 and iOS 18.7.8 Fix Known Issue
Signal has confirmed iOS 26.4.2 and iOS 18.7.8 fix the issue in question. “We are very happy that today Apple issued a patch and a security advisory,” Signal wrote on X, formerly Twitter, adding that the move comes following 404 Media’s reporting “that the FBI accessed Signal message notification content via iOS despite the app being deleted.”
Apple’s advisory confirmed that the bugs that allowed this to happen have been fixed in the latest iOS release, Signal. added
Signal also pointed out the no action is needed for this fix to protect Signal users on iOS. “Once you install the patch, all inadvertently-preserved notifications will be deleted and no forthcoming notifications will be preserved for deleted applications.”
“We’re grateful to Apple for the quick action here, and for understanding and acting on the stakes of this kind of issue. It takes an ecosystem to preserve the fundamental human right to private communication,” Signal added.
iOS 18.7.8 Is Also Available For Newer iPhones
Another security implication of this latest update is the fact that iOS 18.7.8 is also available for later generations of the iPhone, signalling that Apple is now offering iOS 18 to those who want to stay on the older operating system.
It comes after the iPhone maker released iOS 26.4 last month, including the ability to update to iOS 18.7.7 even if you own a newer device. The reason for this was DarkSword, a dangerous spyware that was using iPhone vulnerabilities to attack Apple users. Perhaps Apple is changing its tactics to ensure all users are secured in the face of major risks — certainly when it issues emergency updates to the iPhone software such as iOS 26.4.2 and iOS 18.7.8.
“Apple shipping a dedicated patch for a single issue and backporting it to iOS 18 in the same release, tells you exactly how seriously they take the integrity of their platform,” says Adam Boynton, senior enterprise strategy manager at Jamf.
He describes how a forensic examiner reconstructing notifications a user believed were deleted is like “reading a compressed timeline of someone’s working life.”
“They include the likes of two-factor codes, previews from work chat platforms, calendar invites, customer alerts and even internal security pings,” Boynton warns.
The FBI and Signal case is “eye-catching,” but the underlying exposure applies to any app that surfaces content in push notifications, which is most enterprise collaboration tools in daily use, he says.
Apple’s iOS 26.4.2 is available for iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later.
Why You Should Update To iOS 26.4.2 and iOS 18.7.8 Now
The fix issued in iOS 26.4.2 and iOS 18.7.8 might look fairly innocent, but the timing of the upgrade indicates Apple deems it serious. For that reason, you should upgrade your iPhone now.
If you are already on iOS 26, the iOS 26.4.2 update adds new features and bug fixes, including Concerts in Apple Music and eight new emoji, giving you extra reasons for updating right away.
So, what are you waiting for? Go to Settings > Software Update and upgrade to iOS 18.7.8 or iOS 26.4.2 now.