Apple has just fixed a bug that recently enabled the FBI to retrieve notification messages from a deleted app.
With just weeks until the debut of iOS 27, the tech giant has now released iOS 26.4.2, an update that brought no aesthetic changes but quietly fixed a privacy issue many users had never known existed until recently. Eligible iPad users can also receive this update via iPadOS 26.4.2.
An unexpected update
While many iPhone users were expecting just one more addition to iOS 26 before WWDC in June, Apple had other plans. According to 9to5Mac, iOS 26.5 is expected to debut next month, and based on set timelines, usher in iOS 27, but users will have to get an impromptu update before that: iOS 26.4.2.
Under the hood, this update may come with general security and stability fixes, but Apple highlighted one change: Notification Services.
Until recently, when an app gets deleted, every notification from that app is assumed to be gone with it. But on April 10, the FBI proved that assumption to be false by successfully extracting Signal messages from an iPhone notification center, even after the Signal app had been deleted.
Forbes, reporting on the event, cites an FBI Special Agent who testified that the messages were retrieved from a notification storage area within iOS, thereby granting access to incoming messages from an app that’s no longer on the device.
Apps like Signal promise strong privacy controls over messages. But when those messages are displayed as notifications on the screen, the Operating System captures that and could store them for a period of time, regardless of what controls the app uses.
What many saw as a privacy lesson, Apple saw as a security issue that needed fixing. In its update notes, it tagged the bug as CVE-2026-28950.
According to the company, “notifications marked for deletion could be unexpectedly retained on the device.” Its fix? Fix the logging issue with improved message redaction. Based on Apple’s fix, it suggests that messages will continue to be stored but stripped of all meaningful data.
Who else is getting this update
Although the incident that likely contributed to this update occurred on an iPhone, Apple fixed it across iPhones and iPads that can receive its latest software upgrade. That means users will have to update to iOS 26.4.2, iPadOS 26.4.2, and macOS 26.4.2 to receive this security fix.
iPhone and iPad users who are still eligible for iOS 18 or iPadOS 18 can receive this update as well.
What do we expect next from Apple
The Cupertino-based company has a reputation for privacy. In 2016, it refused an FBI request to override the security settings on the iPhone of an investigation’s suspect.
Still on privacy, a separate 9to5Mac report notes that, before iOS 27, RCS encryption is likely to ship with iOS 26.5, along with other new user-facing features. After that, iOS 27 ships in preparation for the iPhone 18, expected to be released in September.
Also read: Apple is preparing encrypted RCS support for iPhone, a shift that could make messaging with Android users more secure.
