Apple slipped out iOS 26.4.2 on Wednesday with a narrowly focused — but important — security fix: notifications that were supposed to be deleted could remain on a device and be accessed later. It’s a tidy little update in size but one with outsized privacy implications, and Apple says the change both stops the behavior and retroactively removes any copies that were kept unexpectedly.
What Apple changed
In terse release notes Apple says the update “provides bug fixes and security updates” and specifically calls out a Notification Services issue where “notifications marked for deletion could be unexpectedly retained on the device.” The company describes the remedy as fixing a logging problem and implementing “improved data redaction.” Macworld’s security listing adds the tracked identifier for the fix: CVE-2026-28950.
The update is available for iPhone 11 and later and a range of newer iPads; Apple also pushed iOS 18.7.8 for older devices that aren’t on iOS 26. If you haven’t already: open Settings → General → Software Update and install it.
Why this matters now
This isn’t just a hypothetical risk. Recent reporting and court testimony showed law enforcement was able to extract push-notification content from an iPhone even after an app had been deleted — notably including notifications tied to Signal messages. That finding highlighted a real-world way that notification data, intended to be ephemeral, could be read later by third parties with device access.
Signal’s leadership publicly urged Apple to fix the problem, and today the company confirmed the patch. Privacy researchers and advocates have long warned that notifications are a two‑front problem: they travel through cloud services and they land on local device storage. Fixing local retention is only one piece of the picture, but an important one.
What Apple says it does for you
Beyond the immediate bug fix, Apple says the update improves how notification data is redacted in logs and that any notifications that were incorrectly retained should be purged after installing the update. In other words: the fix is preventive and corrective, according to Apple.
9to5Mac reports Apple told them the company became aware after receiving reports that some push notifications were being retained and then implemented the fix — and that the update will remove existing copies that should have been deleted.
Practical steps for users
- Install iOS 26.4.2 as soon as you can (Settings → General → Software Update). Apple also published a matching iPadOS build.
- If you want extra caution, limit what notifications show on the Lock Screen. Many apps let you hide message previews or remove the sender’s name and content from push text.
- Keep an eye on app privacy settings and consider disabling detailed previews for sensitive messaging apps until you’re confident of their behavior.
If you’re curious about the recent cadence of updates: this patch follows the March/April round of iOS 26 releases — for background on the broader 26.4 rollout and its features, see the coverage of iOS 26.4’s new emojis and Shazam changes and Apple’s quiet follow-up that fixed an iCloud syncing quirk in iOS 26.4.1.
This is the kind of small, targeted patch that rarely makes headlines on its own, but it matters because notifications are where convenience and privacy collide. The update doesn’t change how notifications work at a surface level — it mostly fixes the plumbing that should have been keeping deleted content gone for good.
If anything lingers: Apple is testing iOS 26.5 for a May release, but this 26.4.2 release was pushed out specifically to stop a privacy gap that had already shown up in legal proceedings. That makes it one of those updates you really should install, not someday but today.
