Apple yesterday released iOS/iPadOS 26.4.2 and iOS/iPadOS 18.7.8. This update fixes a single Notification Services vulnerability, CVE-2026-28950:

Impact: Notifications marked for deletion could be unexpectedly retained on the device

Description: A logging issue was addressed with improved data redaction.

Apple did not mark the vulnerability as exploited. However, recent news articles reported that the FBI used this vulnerability to extract Signal messages from a device seized in a criminal case. The suspect in the case used Signal to communicate. Signal is encrypted end-to-end and attempts not to store retrievable data on the device itself. However, Signal may display a notification on the screen whenever a new message is received. These notifications may include the sender's username and some of the message's content. Signal used Apple's Notification Services framework to generate these notifications, and iOS did not delete their contents even when they were marked for deletion. 

The use of OS libraries and APIs like that has caused problems before, as they may not be designed with the same threat model in mind as the one used to create secure messaging applications.

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|