Apple has released a security update fixing a critical flaw that allowed deleted Signal message previews to remain stored on iPhone devices. The vulnerability, tracked as CVE-2026-28950, was resolved in iOS 26.4.2 and iOS 18.7.8, affecting both newer and older devices.
The bug came to light after court documents from a federal investigation in Texas revealed that the FBI had forensically recovered readable Signal message previews from an iPhone's notification database, even after the app had been deleted. The recovered data included incoming messages only, highlighting a device-level storage issue rather than a break in Signal's end-to-end encryption.
Apple acknowledged the problem in its security notes, stating: "Notifications marked for deletion could be unexpectedly retained on the device." The company fixed the bug with "improved data redaction." While Apple did not name Signal in its advisory, the timing of the patch coincided with public reporting linking the retained notifications to the federal investigation.
Signal confirmed on X that Apple's update addressed the issue: "Apple's advisory confirmed that the bugs that allowed this to happen have been fixed in the latest iOS release." The messaging app emphasized that the privacy gap stemmed from how the iPhone handled notification previews, not from a weakness in Signal's encryption.
Apple's stock (AAPL) rose 2.63% to close at $273.17 following the announcement. The fix has broader implications for messaging privacy, highlighting the gap between strong encryption and how operating systems store notification data locally. Telegram's Pavel Durov commented on the issue, noting that notification previews represent a weak point and pointing to Telegram's optional privacy controls that limit visible message content.
