Security Domain
Security Architecture & Engineering
Secure design principles, cryptography, physical security, and security models.
6 Articles
← All domainsNSA's January 2027 PQC Deadline Is Nine Months Away — Enterprise Migration Is Now Mandatory
With NIST's post-quantum cryptography standards finalised and the NSA's CNSA 2.0 deadline requiring all new National Security System acquisitions to be quantum-resistant by January 2027, the migration window for enterprise and federal contractor environments is closing fast. Most organisations have yet to inventory their cryptographic assets, let alone begin migration.
Secure Boot Certificates Expire June 2026 — Enterprise Action Window Is Now
Microsoft's 2011 Secure Boot signing certificates expire on 26 June 2026, with the Windows bootloader certificate following in October. Organisations that fail to apply firmware and OS updates before these deadlines lose the ability to receive boot-level security fixes and risk UEFI bootkit exposure. Microsoft has begun displaying warnings in Windows Security app in April 2026, but the update process requires OEM firmware coordination that takes weeks.
Linux Kernel AP VLAN Flaw CVE-2026-31394 Allows Privilege Escalation in Virtualised and Cloud Environments
CVE-2026-31394 is a privilege escalation vulnerability in the Linux kernel's AP VLAN (access point virtual LAN) network driver. Highlighted in Microsoft's Windows Update security reference guide and tracked by multiple Linux distributions, the flaw allows a local user with network namespace access to escalate privileges. Virtual machine hosts, Kubernetes nodes, and container infrastructure are the highest-risk deployment contexts.
Apple macOS CoreMedia Out-of-Bounds Write RCE Disclosed — Remote Exploitation via Malicious Media Files
Zero Day Initiative researchers have disclosed ZDI-26-230, an out-of-bounds write vulnerability in the Apple macOS CoreMedia framework that could allow remote code execution when a user processes a specially crafted media file. A companion vulnerability ZDI-26-231 discloses a separate macOS information disclosure flaw. Both were disclosed on 30 March 2026 following Apple's 120-day coordinated disclosure window.
German Police Physically Visit Companies to Warn of Critical PTC Windchill RCE — No Patch Available
A critical unauthenticated remote code execution vulnerability in PTC Windchill and FlexPLM — industrial PLM software used across manufacturing, aerospace, and defence — prompted German federal and state police to physically dispatch officers to affected companies on the weekend of 27 March. No patch was available at time of the emergency response. PTC has provided a temporary workaround via Apache/IIS rule modification while developing a permanent fix.
VMware Aria Operations CVE-2026-22719 — CISA KEV With Federal Deadline Tomorrow
CISA has added CVE-2026-22719, a command injection vulnerability in VMware Aria Operations, to the Known Exploited Vulnerabilities catalogue with a federal agency patch deadline of 24 March. The flaw allows unauthenticated remote attackers to execute arbitrary commands on the management infrastructure and was patched by Broadcom in February — but active exploitation has been confirmed before many organisations applied the fix.