Apple has released iOS 26.4.2 and iPadOS 26.4.2 to fix a security issue in Notification Services that allowed deleted alerts to stay on a device.
Reports said the FBI used this weakness to access push-notification data. The problem affected Notification Services and was released on April 22, 2026. The bulletin explains that notifications marked for deletion could be unexpectedly retained on the device.
Apple fixed the issue by improving how data is removed, saying a logging issue was addressed with improved data redaction. This flaw let the FBI access push notifications.
A quiet update with a very specific fix
Unlike many iPhone updates that come with lots of new features, this update is all about privacy and security. Apple’s bulletin mentions just one issue for iOS 26.4.2 and iPadOS 26.4.2, called CVE-2026-28950.
It affects iPhone 11 and newer, as well as several recent iPad models. Apple’s advisory is clear about the problem: notifications that should have been deleted could still be stored on the device.
This is important because notification previews can show sensitive information, even if the app’s content is encrypted or deleted.
MSN reported that the FBI used the iPhone’s push notification database to recover Signal message details, even after the app was deleted and messages were supposed to disappear.
Apple did not mention the FBI in its security note, but the timing and details of the patch suggest a clear connection.
Why this bug drew so much attention
The privacy concern here is not just that notifications existed, but that they may have remained in a place investigators or forensic tools could access after users assumed they were gone.
Engadget said the flaw meant deleted push notification data could still be accessible on some iPhones and iPads.
Other reporting on the same patch described the issue as one that let deleted Signal messages be recovered indirectly through stored notification data rather than from the Signal app itself.
This fix matters for more than just one app or law enforcement case. It raises a bigger question about device privacy: when users delete something or a message is supposed to disappear, what is left behind in system logs or databases?
With this update, Apple improved how data is removed so that leftover notification data no longer poses the same risk.
Apple is not framing this as a feature update
On its main iOS update page, Apple says iOS 26.4.2 provides bug fixes and security updates for your iPhone, without mentioning any new features for users.
This is typical for Apple’s security patches: they release them quickly, with little publicity and a brief advisory. Apple also repeats its usual warning that it does not share details about security issues until they have been investigated and fixed.
What iPhone users should do now
The advice for users is simple: install the update. Most people will never have to worry about someone recovering deleted notifications, but this patch fixes a privacy issue that could have exposed information users thought was gone.
The update is now available for supported iPhones and iPads, and Apple’s documentation shows the flaw was serious enough for a separate security release instead of waiting for a bigger update.
In summary, iOS 26.4.2 is a small update with an important privacy message: even deleted notifications can matter, and Apple is closing a loophole that reports say federal investigators had already used.
