PatchSiren cyber security CVE debrief

CVE-2026-28950 Apple CVE debrief

Apple addressed a privacy-focused logging issue in iOS and iPadOS that could cause notifications marked for deletion to remain on the device longer than expected. The fix is included in the listed point releases for supported older and current branches. Because the issue involves retained notification data and improved redaction, it is most relevant where sensitive notification content may have been exposed in logs or on-device state.

Vendor: Apple
Product: CVE-2026-28950
CVSS: MEDIUM 6.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-04-22
Original CVE updated: 2026-05-11
Advisory published: 2026-04-22
Advisory updated: 2026-05-11

Who should care

Organizations and individuals managing or using affected iPhone and iPad devices should care, especially where notification content may include sensitive personal, business, or authentication-related information. Apple device administrators should prioritize confirming that affected devices are moved to the fixed releases.

Technical summary

The vendor description says the issue was a logging problem addressed with improved data redaction. Apple also states that notifications marked for deletion could be unexpectedly retained on the device. NVD classifies the weakness as CWE-359 and assigns CVSS 3.1 vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N with a score of 6.2. The affected product coverage in the supplied record is iOS and iPadOS, with fixes identified for iOS 15.8.8, 16.7.16, 18.7.8, 26.4.2 and iPadOS 15.8.8, 16.7.16, 17.7.11, 18.7.8, 26.4.2.

Defensive priority

Medium. The issue is privacy-oriented rather than integrity- or availability-oriented, but it can leave sensitive notification content retained on-device. Prioritize remediation on managed fleets and any devices handling regulated or sensitive communications.

Recommended defensive actions

Update affected iPhone and iPad devices to the fixed Apple releases listed in the advisory.
Verify fleet compliance for the specific affected branches named by Apple and NVD.
Treat retained notification content as potentially sensitive until patched devices are confirmed.
Review any internal guidance for handling notification previews, lock-screen visibility, and device privacy settings where appropriate.
Monitor Apple security release notes and vendor advisories for branch-specific update guidance.

Evidence notes

This debrief is based only on the supplied CVE record and Apple/NVD references. The source text states: "A logging issue was addressed with improved data redaction" and "Notifications marked for deletion could be unexpectedly retained on the device." NVD’s metadata adds CWE-359 and the CVSS 3.1 vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (6.2). No KEV listing is present in the supplied data.

Official resources

CVE-2026-28950 CVE record
CVE.org
CVE-2026-28950 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
af854a3a-2127-422b-91ae-364da2661108
Source reference
af854a3a-2127-422b-91ae-364da2661108

Publicly disclosed on 2026-04-22; the supplied record was last modified on 2026-05-11.