iOS Bug Let FBI Recover Deleted Signal Messages
Apple has released out-of-band security updates for iPhone and iPad devices to fix a Notification Services flaw that could allow notifications marked for deletion to remain stored on the device. [...]
What Happened
Apple released out-of-band security updates for iOS and iPadOS on April 15, 2026, to patch a Notification Services vulnerability tracked as CVE-2026-28950. The flaw, discovered in the context of forensic investigations, allowed deleted notifications from encrypted messaging apps like Signal to remain stored on the device and be recovered by law enforcement tools.
The vulnerability affected the way iOS handles notification data in the Notification Services subsystem. When users deleted notifications - including those from Signal’s end-to-end encrypted chats - the system did not properly purge the data from device storage. This left recoverable metadata on the device, which forensic tools such as those used by the FBI could extract.
Apple acknowledged the issue in its security advisory, noting that “a notification may be stored on the device even after it has been marked as deleted.” The company credited a security researcher who reported the issue following public disclosures about forensic data recovery from iOS devices.
Why It Matters
For organizations that mandate the use of encrypted messaging apps like Signal for sensitive communications, this flaw undermines the core promise of ephemeral or deletable messages. Even if users delete notifications containing message content, the metadata - including timestamps, sender information, and in some cases message previews - remained on the device and accessible to anyone with physical or forensic access.
This is particularly relevant for security teams managing bring-your-own-device (BYOD) policies, corporate-issued devices used by executives handling sensitive data, and personnel in high-risk environments such as journalists, activists, or legal professionals. The recovery capability demonstrated by law enforcement indicates that forensic tools can extract this data without needing new exploits, as it was a simple storage persistence bug.
The incident also highlights the broader tension between Apple’s privacy promises and the practical reality of how iOS handles notification data at the operating system level.
Technical Details
CVE-2026-28950 resides in the Notification Services component of iOS and iPadOS. The vulnerability allows the Notification Services subsystem to retain notification data after a user action marks it for deletion. This includes notifications from any app using Apple’s Notification Services APIs, not just Signal.
Attack vectors for exploitation are limited to physical device access. An attacker with forensic-level access - such as law enforcement agencies with Cellebrite or GrayKey tools, or anyone who confiscates an unlocked device - could extract these residual notification records. The flaw does not enable remote exploitation or intercept notifications in transit.
Affected versions include iOS 18.x and iPadOS 18.x prior to the 18.4.1 emergency update. The fix is available in iOS 18.4.1 and iPadOS 18.4.1. Apple has not disclosed whether the flaw existed in earlier iOS versions, but forensic researchers noted similar behavior in iOS 17 builds during analysis.
Immediate Risk
The immediate risk is moderate for most organizations but high for those handling sensitive communications. The vulnerability requires physical access to exploit, which limits the attack surface. However, in scenarios involving device seizure - border searches, litigation holds, or employee termination - the risk escalates substantially.
Organizations should:
- Update all managed iOS devices to 18.4.1 immediately
- Review device management policies for devices that may have been subject to forensic recovery attempts
- Educate users about the limits of notification deletion on iOS devices
For devices that cannot be updated, consider disabling notification previews for sensitive messaging apps or switching to apps that do not rely on iOS notification APIs for delivery indicators.
Security Insight
This case mirrors the 2021 Pegasus spyware revelations where iOS zero-click exploits abused iMessage notifications for remote code execution. The common thread is that Apple’s Notification Services have historically been treated as a lower-security subsystem compared to the kernel or app sandbox, yet they process data from the highest-security apps on the device - end-to-end encrypted messengers. Security teams should treat notifications as an attack surface equivalent to the app itself, not a peripheral feature. Any app that shows message content in notifications effectively moves its security boundary into the OS notification handler, which may not be designed for that trust level. The Axios prototype pollution to RCE path CVE-2026-40175 similarly showed how trust boundaries get blurred in complex software stacks - this iOS notification bug is the mobile equivalent of that pattern.
Further Reading
Never miss a security update
Get real-time security alerts delivered to your preferred platform.
Related News
The Cybersecurity and Infrastructure Security Agency (CISA) is warning that hackers are actively exploiting a critical vulnerability identified as CVE-2026-33017, which affects the Langflow framework
Apple has released its first Background Security Improvements update to fix a WebKit flaw tracked as CVE-2026-20643 on iPhones, iPads, and Macs without requiring a full operating system upgrade. [...]
The Interlock ransomware gang has been exploiting a maximum severity remote code execution (RCE) vulnerability in Cisco's Secure Firewall Management Center (FMC) software in zero-day attacks since lat
Apple has released security updates to patch older iPhones and iPads against a set of vulnerabilities targeted in cyberespionage and crypto-theft attacks using the Coruna exploit kit. [...]