Apple Releases Emergency iOS Updates to Fix FBI-Exploited Signal Vulnerability

The same iOS vulnerability used by the FBI to extract Signal messages from a deleted app has been patched in emergency updates released today, Apple confirmed.

Tracked as CVE-2026-28950, the flaw in Notification Services caused notifications marked for deletion to remain stored on the device. Apple shipped iOS 26.4.2 and iOS 18.7.8 to fix it, warning users to update immediately.

Signal publicly confirmed the fix addresses the issue first reported by 404 Media: that the FBI accessed Signal message notification content from an iPhone even after the app was deleted. "We are very happy that today Apple issued a patch and a security advisory," Signal wrote on X.

"Once you install the patch, all inadvertently-preserved notifications will be deleted and no forthcoming notifications will be preserved for deleted applications," Signal added. The updates arrive as Apple also battles two active exploit campaigns targeting older iOS versions. The DarkSword exploit kit has been used in cyber attacks since July 2025, deploying data-stealing malware including GhostBlade, GhostKnife and GhostSaber through compromised websites. A second campaign, Coruna, has targeted iPhones through malicious web content in espionage and crypto theft attacks.

Apple took the unusual step of backporting protections to iOS 15 and iOS 16 last week for devices that cannot upgrade further. Users on iOS 13 or 14 must update to at least iOS 15 to receive those fixes. The company also expanded iOS 18.7.7 availability on April 1 to cover devices ranging from iPhone XR through iPhone 16 models, along with iPads dating back to the 7th generation. The DarkSword exploit targets devices running iOS versions between 18.4 and 18.7 via watering hole attacks where users visit real but compromised websites.

"DarkSword silently steals vast amounts of user data purely because the user visited a real (but compromised) website," said Rocky Cole, co-founder and COO at iVerify. The Notification Services fix carries implications beyond Signal, said Adam Boynton, senior enterprise strategy manager at Jamf. Push notification databases can expose two-factor codes, work chat previews, calendar invites and security alerts, essentially "a compressed timeline of someone's working life."

Apple's support document warns that clicking a malicious link or visiting a compromised website on an outdated iPhone puts personal data at risk. Safari Safe Browsing blocks known malicious domains by default, and Lockdown Mode is available for users facing elevated targeting risk.

IOS 26.4.2 is available for iPhone 11 and later models. iOS 18.7.8 covers iPhone XR through iPhone 16e and multiple iPad generations.