Intel and Google uncover critical flaws in TDX after joint security review

🇺🇸United States

SemiconductorCloud SecurityCybersecurity

Wed, Feb 11, 2026

InsightsWire News2026

Google Cloud’s security team and Intel researchers carried out a focused code review of Intel’s Trust Domain Extensions, the processor-backed technology intended to isolate sensitive workloads in cloud environments. The collaboration, spanning roughly five months, combined manual audit techniques, custom tooling, and AI-assisted analysis to examine the TDX Module 1.5 implementation. Reviewers identified five security flaws that could be exploited for privilege escalation and data exposure, and they documented 35 additional bugs and weaknesses that reduce the platform’s assurance posture. One of the findings describes a migration-time weakness that can change a protected domain’s operational attributes and expose its decrypted state to a host, effectively breaking the isolation guarantees TDX is designed to provide. The team produced an extensive technical report and coordinated disclosures; Intel released fixes and a public advisory detailing the tracked vulnerabilities. This patching reduces immediate operational risk, but the discovery highlights the difficulty of securing trusted execution features in complex, multi-component stacks. Cloud providers and customers that depend on TDX for confidentiality must validate updated firmware and software builds and adjust migration policies and attestation workflows. The episode also underscores the value of third-party audits and cooperative disclosure between platform vendors and cloud operators; independent review found issues that internal processes did not catch. From an attacker perspective, migration routines and host-controlled transitions present a recurring attack surface that merits hardened checks and runtime guards. For the industry, these findings will likely accelerate scrutiny of confidential computing primitives and push developers to adopt stronger formal verification and runtime monitoring where feasible. Operational responses should include rapid deployment of Intel’s patches, reassessment of migration trust assumptions, and tighter host-side isolation controls. In the longer term, vendors and cloud operators must reconcile feature complexity with verifiability to avoid systemic risks as confidential computing becomes more widely used.

PREMIUM ANALYSIS

Read Our Expert Analysis

Create an account or login for free to unlock our expert analysis and key takeaways for this development.

By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.

Free Access

No Payment Needed

Join Thousands of Readers

Recommended for you

Cybersecurity

Critical vulnerabilities in Google Looker allow developer-level paths to full compromise

Security researchers found two serious flaws in Google Looker that let an attacker with developer privileges run code on hosts and extract the platform’s internal database. Google has patched cloud-hosted instances; organizations running self-managed Looker must update immediately or risk data theft and infrastructure takeover.

Cybersecurity

CERT-In alerts users to high-risk flaws in Apple Pages/Keynote and Google Chrome; apply patches now

India’s national cybersecurity agency has identified exploitable vulnerabilities in Apple Pages/Keynote and Google’s desktop Chrome that could allow data disclosure or remote code execution. Vendors issued fixes in late January 2026; organisations should prioritise deploying those updates immediately and treat them in the context of a broader trend of vendor emergency patches for document- and API-handling flaws.

Cybersecurity

Google: Multiple APTs and crime syndicates widely exploited a critical WinRAR flaw

Google Threat Intelligence Group says a high-severity WinRAR vulnerability (CVE-2025-8088) has been actively abused for months by both nation-state actors and financially motivated groups. Attackers leveraged crafted RAR archives and hidden alternate data streams to place persistent payloads — affecting government, military, technology, travel, and banking targets globally.

Cybersecurity

Hackers Rapidly Exploit Critical BeyondTrust Remote-Access Flaw After PoC Emerges

A critical unauthenticated remote-code execution bug (CVE-2026-1731) in BeyondTrust Remote Support and Privileged Remote Access was probed and targeted within 24 hours of a public proof-of-concept, exposing thousands of internet-facing instances. Organizations should treat exposed BeyondTrust deployments as emergency patching and containment priorities, applying access restrictions, WAF/ACL rules, and focused threat-hunting while verifying remediation.

Cybersecurity

Google flags intensifying cyber campaigns against the global defense supply chain

Google’s Threat Intelligence Group alerts that coordinated cyber campaigns against firms and personnel in the defense industrial base are increasing, combining long‑dwell implants, commodity exploit reuse, and LLM-assisted social engineering. The advisory urges identity‑first controls, extended cross‑domain telemetry to suppliers and staff, hardware-backed MFA and governed agentic automation to shorten attackers’ windows and blunt supply‑chain impact.

AI & Technology

Google engineers indicted over alleged SoC and cryptography files sent to Iran

Three San Jose-based engineers have been charged in a federal indictment accusing them of taking confidential processor and security-related materials from U.S. tech firms and transmitting them to Iran; arrests and court appearances occurred the same day. If convicted, defendants face significant prison terms, monetary penalties, and heightened scrutiny of access controls at chip and cloud companies.

Cybersecurity

Google GTIG: Zero‑Day Exploits Shift Toward Enterprise Targets in 2025

Google’s GTIG logged 90 exploited zero‑days in 2025 and a record portion hit enterprise infrastructure; commercial spyware vendors and OS flaws drove much of the shift. Field cases — including a long‑running WinRAR exploit and rapid weaponization of disclosed appliance flaws — illustrate how automation and exploit brokerage compress the timeline from discovery to impact.

Cybersecurity

Google rolls Android updates to fix exploited Qualcomm zero-day

Google issued Android security updates patching roughly 130 vulnerabilities, including an exploited Qualcomm graphics zero-day, CVE-2026-21385 (CVSS 7.8). Organizations must prioritize devices on the 2026-03-01 and 2026-03-05 patch levels to close immediate exposure and treat this as part of a wider cross‑vendor wave of in‑the‑wild fixes (see recent Chrome and document‑parser advisories) that increases urgency for rapid deployment and verification.