The clock is
already ticking.

US

RU

CH

CA

UK

IR

DE

2025-01-17 · EU

EU financial-sector firms must demonstrate operational resilience (incl. ICT third-party risk) — including cryptographic posture.

2025-12-31 · US-NSA

NSA target for new National Security Systems software & firmware to start adopting CNSA 2.0 (Kyber, Dilithium, SHA-2) algorithms.

2026-06-30 · DE-BSI

Annual BSI cryptographic-recommendation refresh — flagged deadline for hybrid (classical + PQC) roll-out in regulated DE.

2027-12-31 · US-NSA

Networking, VPN, and key-management products on NSS networks should fully support CNSA 2.0 algorithms.

2030-12-31 · US-NIST

NIST recommended sunset for classical public-key crypto in federal systems — full PQC migration target.

2033-12-31 · US-NSA

All NSS systems must be using CNSA 2.0 PQC algorithms exclusively.

@CISAgov

Reminder: NSA's CNSA 2.0 timeline is in effect. New software for NSS should now be adopting Kyber, Dilithium, and SHA-2.

@NIST

FIPS 203 (ML-KEM), 204 (ML-DSA) and 205 (SLH-DSA) are now the standards. Migration windows are short for high-value targets.

@matthew_d_green

Harvest-now-decrypt-later isn't a scenario, it's an active intelligence program. The ECDSA signatures you commit today are tomorrow's plaintext.

@hashedout

Bitcoin's quantum exposure isn't a 2040 problem. ~25% of circulating supply sits in P2PKH addresses with exposed pubkeys. Q-Day day-one targets.

@SchneierBlog

If your security architecture cannot survive the public release of CRYSTALS-Kyber breaks, you needed PQC yesterday.

@a16zcrypto

Wallet providers shipping PQC migration paths in 2026 will own the institutional custody narrative for the next decade.

NEWS_THERECORD · INFO

UK to ban social media access for children under 16

The ban will apply to all “user-to-user platforms, whose purpose is to enable social interaction and which allow users to post material, alongside algorithms,” according to a press release from the government’s Department for Science, Innovation and Technology.

NEWS_COINTELEGRAPH · INFO

Here’s what happened in crypto today

Need to know what happened in crypto today? Here is the latest news on daily trends and events impacting Bitcoin price, blockchain, DeFi, Web3 and crypto regulation.

NEWS_COINTELEGRAPH · INFO

Trump crypto company's USD1 stablecoins backing UFC event bonuses

A spokesperson for the Democratic National Committee decried the move as “an opportunity to use the power of the presidency to make [Trump] and his family even richer.”

NEWS_DECRYPT · INFO

Elon Musk Loses Again to OpenAI as Judge Dismisses xAI Trade Secret Lawsuit

A federal judge handed Elon Musk his second defeat against OpenAI after finding xAI failed to show OpenAI improperly obtained confidential info.

GHSA · LOW

GHSA · npm/nuxt · GHSA-rq7w-g337-39qq

Nuxt: Dev server discloses project absolute path and persistent workspace UUID via `/.well-known/appspecific/com.chrome.devtools.json`

NEWS_DECRYPT · INFO

Pudgy Penguins NFT Game 'Pudgy Party' Shuts Down Less Than a Year After Launch

Pudgy Party, a mobile battle royale game, has closed up shop as the Pudgy Penguins team shifts its focus to its Pudgy World experience.

GHSA · HIGH

GHSA · npm/aws-cdk-lib · CVE-2026-11417

aws-cdk-lib: OS Command Injection in NodejsFunction Bundling

GHSA · MEDIUM

GHSA · maven/io.netty:netty-codec-http2 · CVE-2026-50560

Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature

GHSA · MEDIUM

GHSA · maven/io.netty:netty-codec-http · CVE-2026-50020

Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted

GHSA · HIGH

GHSA · maven/io.netty:netty-codec-redis · CVE-2026-50011

Netty: Unbounded pre-allocation in RedisArrayAggregator from RESP array length

GHSA · HIGH

GHSA · maven/io.netty:netty-handler · CVE-2026-50010

Netty: Wrapping plain trust manager silently disables hostname verification

GHSA · MEDIUM

GHSA · maven/io.netty:netty-codec-classes-quic · CVE-2026-50009

Netty: QUIC stateless reset token material exposed through header-visible connection IDs

GHSA · HIGH

GHSA · maven/io.netty:netty-codec-http3 · CVE-2026-48748

Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion

GHSA · MEDIUM

GHSA · npm/markdown-it · CVE-2026-48988

markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations

GHSA · HIGH

GHSA · pip/starlette · CVE-2026-54283

Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS

GHSA · MEDIUM

GHSA · npm/@opentelemetry/core · CVE-2026-54285

OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation

GHSA · LOW

GHSA · pip/Starlette · CVE-2026-54282

Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname

GHSA · MEDIUM

GHSA · pip/tornado · GHSA-pw6j-qg29-8w7f

Tornado: CurlAsyncHTTPClient leaks per-request credentials on handle reuse

GHSA · HIGH

GHSA · npm/@nestjs/platform-fastify · CVE-2026-54281

Nest: Middleware Bypass on Fastify via Trailing Slash

GHSA · HIGH

GHSA · pip/python-multipart · CVE-2026-53539

python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service

GHSA · LOW

GHSA · pip/python-multipart · CVE-2026-53540

python-multipart: Negative Content-Length in parse_form buffers the entire body in memory

GHSA · LOW

GHSA · pip/python-multipart · CVE-2026-53538

python-multipart: Semicolon treated as querystring field separator enables parameter smuggling

GHSA · LOW

GHSA · pip/python-multipart · CVE-2026-53537

python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters

GHSA · CRITICAL

GHSA · npm/electron · CVE-2026-54257

Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow

GHSA · HIGH

GHSA · pip/tornado · CVE-2026-49853

Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient

GHSA · HIGH

GHSA · pip/tornado · CVE-2026-49855

tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)

GHSA · HIGH

GHSA · pip/starlette · CVE-2026-48818

Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows

GHSA · MEDIUM

GHSA · pip/starlette · CVE-2026-48817

Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr`

NEWS_COINTELEGRAPH · INFO

Nvidia’s $20 billion debt boom reinforces Bitcoin miners' AI pivot

Nvidia’s planned bond sale reinforces booming AI infrastructure demand, strengthening the case for Bitcoin miners pivoting toward AI data centers.

GHSA · MEDIUM

GHSA · npm/ua-parser-js · CVE-2026-48125

UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`