Friday, April 24, 2026: Apple has rolled out emergency updates, iOS 26.4.2 and iOS 18.7.8, urging users to update their iPhones immediately. These new releases address a significant security vulnerability related to notification handling that could expose sensitive data.
While Apple hasn’t disclosed extensive details about the fixes, it confirms that both updates patch the same flaw in Notification Services. The issue involved notifications marked for deletion that could unexpectedly be retained on the device, creating a serious privacy risk.
Tracked as CVE-2026-28950, this flaw appears to have been exploited by the FBI to extract Signal message notifications from a suspect’s iPhone, even after the app was deleted. The vulnerability’s existence was first reported by 404 Media, highlighting its potential for misuse.
Apple’s silence on specifics suggests the company wants to prevent attackers from exploiting the flaw before users update. However, security experts note that the problem involves data persistence in notification storage, which could expose private messages and other sensitive information.
iOS 26.4.2 & 18.7.8 Patch Serious Notification Security Flaw – Apple
Signal responded positively to the updates, confirming that the patches effectively resolve the issue. “We’re glad Apple issued a fix. Once users update, all preserved notifications will be deleted, and no future notifications will be stored for deleted apps,” Signal tweeted.
The company also reassured users that no further action is needed, once the update is installed, the vulnerability is closed, and notification data is protected.
In addition to fixing the security flaw, Apple’s update expands iOS 18.7.8 support to newer iPhone models, signaling a shift toward backporting security patches to older operating systems. This comes after last month’s release of iOS 26.4, which included iOS 18.7.7, in response to dangerous spyware exploiting similar vulnerabilities.
Industry experts emphasize the importance of this rapid response. Adam Boynton, senior enterprise strategy manager at Jamf, explained that Apple’s quick patching underscores the seriousness of the issue. “Backporting a patch to older versions shows how vital platform integrity is,” he said.
Boynton warned that the underlying risk isn’t limited to Signal. Any app that surfaces content via push notifications, such as enterprise tools, could be affected, potentially exposing two-factor codes, calendar invites, or internal security alerts.
The latest updates are available for iPhone 11 and newer devices, as well as select iPads. Apple urges all users to update immediately by navigating to Settings > Software Update to safeguard their private communications.
If you’re already running iOS 26, the update also introduces new features, including Apple Music Concerts and eight new emojis, providing extra incentive to upgrade promptly. Don’t delay, protect your device and your privacy today.
