docs: disable KVM nested virtualization in Talos install configs (CVE-2026-53359)#602
docs: disable KVM nested virtualization in Talos install configs (CVE-2026-53359)#602Andrei Kvapil (kvaps) wants to merge 4 commits into
Conversation
✅ Deploy Preview for cozystack ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Warning Review limit reached
Next review available in: 53 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughTalos install docs across versioned guides now add CVE-2026-53359 warnings, Talos v1.13.6+ fix references, and nested-virtualization guidance. The related security advisory page is updated to mark the issue fixed in Talos and to expand upgrade and mitigation instructions. ChangesTalos install docs warning updates
Security advisory update
Estimated code review effort: 3 (Moderate) | ~20 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request updates the Talos installation documentation across multiple versions to add kernel arguments (kvm_intel.nested=0 and kvm_amd.nested=0) to mitigate CVE-2026-53359 by disabling KVM nested virtualization. The review feedback points out that on UEFI-booted systems using Talos 1.10+, these extraKernelArgs are silently ignored due to the use of Unified Kernel Images (UKIs). It is recommended to add a warning note in the documentation advising users to bake these arguments into the boot assets using the Image Factory or Imager instead.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
Starting with Talos 1.10, fresh installations on UEFI systems use systemd-boot and Unified Kernel Images (UKIs). On these systems, the .machine.install.extraKernelArgs field in the machine configuration is completely ignored because kernel arguments are embedded directly within the UKI.
Since all documentation versions from v0 (using Talos v1.10.3) to next (using Talos v1.13.0) target Talos 1.10+, this mitigation will be silently ignored on any UEFI-booted nodes, leaving them vulnerable to CVE-2026-53359.
To ensure users are actually protected, please add a warning note in the documentation explaining that on UEFI-booted systems, these kernel arguments must be baked into the boot assets using the Image Factory or Imager (via customization schematics) instead of relying on extraKernelArgs in the machine configuration.
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| # Note: This is ignored on UEFI systems using Talos 1.10+ (use Image Factory instead) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
Actionable comments posted: 7
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@content/en/docs/next/install/kubernetes/talosctl.md`:
- Around line 88-94: The Talos patch example has an invalid YAML structure
because the extraKernelArgs list is not nested under its key. Update the example
in the talosctl docs so extraKernelArgs and its commented kernel args are
indented one level deeper beneath grubUseUKICmdline, keeping the list items
aligned under extraKernelArgs for valid YAML.
In `@content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md`:
- Around line 68-74: The Talos bootstrap YAML example has the extraKernelArgs
list at the wrong indentation level, so the sequence items are not nested under
the key. Update the talos-bootstrap.md example so extraKernelArgs: is followed
by an indented comment and both kvm_intel.nested=0 and kvm_amd.nested=0 entries
one level deeper, keeping the block aligned with the surrounding YAML structure.
In `@content/en/docs/v1.3/install/kubernetes/talosctl.md`:
- Around line 88-94: The Talos install example has invalid YAML because the
extraKernelArgs list is not nested under its key. Update the talosctl markdown
snippet so the comments and both kernel argument entries are indented one level
deeper under extraKernelArgs, keeping grubUseUKICmdline in the same block and
preserving the example’s structure.
In `@content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md`:
- Around line 68-74: The Talos bootstrap YAML example has a malformed
`extraKernelArgs` block because the comment and both `kvm_intel.nested=0` /
`kvm_amd.nested=0` entries are not indented under `extraKernelArgs:`. Update the
`talos-bootstrap.md` snippet so the `extraKernelArgs` key in the bootstrap
example contains an indented list, keeping the comment and both list items
nested beneath it.
In `@content/en/docs/v1.4/install/kubernetes/talosctl.md`:
- Around line 88-94: The Talos install example has an invalid YAML structure
because the extraKernelArgs sequence items are not nested under the
extraKernelArgs key. Update the example in the talosctl install section so the
comment and both kernel args are indented one level deeper under
extraKernelArgs, keeping the surrounding grubUseUKICmdline setting unchanged.
In `@content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md`:
- Around line 68-74: The Talos bootstrap example has an invalid YAML structure
because the `extraKernelArgs` sequence items are not nested under the
`extraKernelArgs` key. Update the `talos-bootstrap.md` example so the comment
and both `kvm_intel.nested=0` and `kvm_amd.nested=0` entries are indented one
level under `extraKernelArgs`, keeping the surrounding `grubUseUKICmdline` block
in `talos-bootstrap` unchanged.
In `@content/en/docs/v1.5/install/kubernetes/talosctl.md`:
- Around line 88-94: The YAML example in talosctl.md has the extraKernelArgs
list at the wrong indentation level, making the patch invalid. Update the Talos
config snippet so the extraKernelArgs key in the affected block has its comment
and both kernel arguments nested one level deeper under it, keeping the
surrounding grubUseUKICmdline example unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 382f866a-9b3e-4ada-823c-5c6423541a60
📒 Files selected for processing (16)
content/en/docs/next/install/kubernetes/talos-bootstrap.mdcontent/en/docs/next/install/kubernetes/talosctl.mdcontent/en/docs/v0/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v0/install/kubernetes/talosctl.mdcontent/en/docs/v1.0/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.0/install/kubernetes/talosctl.mdcontent/en/docs/v1.1/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.1/install/kubernetes/talosctl.mdcontent/en/docs/v1.2/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.2/install/kubernetes/talosctl.mdcontent/en/docs/v1.3/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.3/install/kubernetes/talosctl.mdcontent/en/docs/v1.4/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.4/install/kubernetes/talosctl.mdcontent/en/docs/v1.5/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.5/install/kubernetes/talosctl.md
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
The list items are rendered at the same indentation level as extraKernelArgs:, so this patch example is not valid YAML as written. Please nest the comment and both kernel args one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/next/install/kubernetes/talosctl.md` around lines 88 - 94,
The Talos patch example has an invalid YAML structure because the
extraKernelArgs list is not nested under its key. Update the example in the
talosctl docs so extraKernelArgs and its commented kernel args are indented one
level deeper beneath grubUseUKICmdline, keeping the list items aligned under
extraKernelArgs for valid YAML.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
This block reads as if the sequence items are at the same level as extraKernelArgs:, which breaks the YAML example. Please indent the comment and both - kvm_* entries one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md` around lines 68 -
74, The Talos bootstrap YAML example has the extraKernelArgs list at the wrong
indentation level, so the sequence items are not nested under the key. Update
the talos-bootstrap.md example so extraKernelArgs: is followed by an indented
comment and both kvm_intel.nested=0 and kvm_amd.nested=0 entries one level
deeper, keeping the block aligned with the surrounding YAML structure.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
As written, the list items sit alongside extraKernelArgs: instead of nesting under it, so the example is not valid YAML. Please push the comment and both kernel args one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.3/install/kubernetes/talosctl.md` around lines 88 - 94,
The Talos install example has invalid YAML because the extraKernelArgs list is
not nested under its key. Update the talosctl markdown snippet so the comments
and both kernel argument entries are indented one level deeper under
extraKernelArgs, keeping grubUseUKICmdline in the same block and preserving the
example’s structure.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
The current indentation makes the list items look sibling-level to extraKernelArgs:, which breaks the YAML example. Please indent the comment and both - kvm_* entries one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md` around lines 68 -
74, The Talos bootstrap YAML example has a malformed `extraKernelArgs` block
because the comment and both `kvm_intel.nested=0` / `kvm_amd.nested=0` entries
are not indented under `extraKernelArgs:`. Update the `talos-bootstrap.md`
snippet so the `extraKernelArgs` key in the bootstrap example contains an
indented list, keeping the comment and both list items nested beneath it.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
The example needs the sequence items nested under extraKernelArgs:; otherwise it is invalid YAML for readers copying it into a patch file. Please indent the comment and both kernel args one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.4/install/kubernetes/talosctl.md` around lines 88 - 94,
The Talos install example has an invalid YAML structure because the
extraKernelArgs sequence items are not nested under the extraKernelArgs key.
Update the example in the talosctl install section so the comment and both
kernel args are indented one level deeper under extraKernelArgs, keeping the
surrounding grubUseUKICmdline setting unchanged.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
As rendered here, the sequence items are not nested under extraKernelArgs:, so the example will not parse as YAML. Please indent the comment and both - kvm_* entries one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md` around lines 68 -
74, The Talos bootstrap example has an invalid YAML structure because the
`extraKernelArgs` sequence items are not nested under the `extraKernelArgs` key.
Update the `talos-bootstrap.md` example so the comment and both
`kvm_intel.nested=0` and `kvm_amd.nested=0` entries are indented one level under
`extraKernelArgs`, keeping the surrounding `grubUseUKICmdline` block in
`talos-bootstrap` unchanged.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
The sequence items need to be nested under extraKernelArgs:; otherwise the patch example is invalid YAML. Please indent the comment and both kernel args one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.5/install/kubernetes/talosctl.md` around lines 88 - 94,
The YAML example in talosctl.md has the extraKernelArgs list at the wrong
indentation level, making the patch invalid. Update the Talos config snippet so
the extraKernelArgs key in the affected block has its comment and both kernel
arguments nested one level deeper under it, keeping the surrounding
grubUseUKICmdline example unchanged.
IvanHunters
left a comment
There was a problem hiding this comment.
The mitigation is missing on four docs versions that ship a Januscape-affected Talos kernel. The diff patches only next, v1.3, v1.4, v1.5, but these also target vulnerable kernels and are left unmitigated:
- v0 -> Talos v1.11.6
- v1.0 -> Talos v1.12.1
- v1.1 -> Talos v1.12.1
- v1.2 -> Talos v1.12.6
All predate the fixed kernel. The description says the change lands "across every docs version (next, v0, v1.0-v1.5)", which doesn't match the files touched.
Fix, minding per-version differences:
- v0 (Talos 1.11): add
extraKernelArgs: [kvm_intel.nested=0, kvm_amd.nested=0]only — 1.11 has nogrubUseUKICmdlinefield. - v1.0/v1.1/v1.2 (Talos 1.12): add
extraKernelArgs+grubUseUKICmdline: false, same as v1.3+.
Note the older docs hardcode the talos image tag, so the block can't be copied verbatim (the image line differs).
a593dc6 to
c589dd8
Compare
|
Good catch that the earlier diff left those versions unmitigated — but I've reworked the PR in the opposite direction, because the mitigation belongs in the image, not in every user's machine config.
Two corrections on the pins (install-page image tags, not kernel versions): v0, v1.0, v1.1 and v1.2 all hardcode Talos v1.10.3, not v1.11/v1.12 — and v1.10.3 has no Reworked treatment, per served version:
One release-side dependency: the notes on next/v1.3/v1.4/v1.5 are correct as long as this PR ships in the same release as the image bake (cozystack/cozystack#3240). Noted in the PR description. |
Hugo renders the inner text of a {{% alert %}} shortcode as markdown on its
own. Inside an ordered-list item the body carried the item's four-space
content indent, which markdown reads as an indented code block, so the alert
displayed its own raw markup instead of the note.
Flush the body to column zero and leave only the shortcode tags indented, so
the alert still belongs to the list item and the surrounding list is not split
in two.
Signed-off-by: Aleksei Sviridkin <f@lex.la>
c589dd8 to
080c20c
Compare
CVE-2026-53359 ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. The complete fix needs both upstream patches, which first meet in Linux 6.18.38 and so in Talos v1.13.6. These docs versions install Talos from the 1.13 line, so moving the image tag reaches the fixed kernel. Say that, and say that nested virtualization stays enabled: the kernel fix removes the bug itself, so there is no reason to take the feature away from workloads that depend on it. Signed-off-by: Aleksei Sviridkin <f@lex.la>
0557399 to
fc8d240
Compare
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@content/en/docs/next/install/kubernetes/talos-bootstrap.md`:
- Around line 105-107: The Talos security alert in the bootstrap docs still
implies nested virtualization remains enabled, but it should instead explain the
Cozystack Talos image default-disablement and the rebuild/re-enable path. Update
the alert text in the Talos bootstrap section to clearly state the default is
disabled, and mention that users must rebuild or re-enable nested virtualization
if their workloads require it; keep the focus on the Talos version guidance and
mitigation wording around the alert block.
In `@content/en/docs/next/install/kubernetes/talosctl.md`:
- Around line 129-131: The Talos security alert text is misleading about nested
virtualization, since it currently implies it remains enabled by default. Reword
the alert in talosctl.md to clearly state the Cozystack Talos image
default-disables nested virtualization, and mention the rebuild/re-enable path
so readers understand how to restore it if needed; update the wording in the
alert block that mentions CVE-2026-53359 and Talos v1.13.6.
In `@content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md`:
- Around line 105-107: The Talos security alert still describes nested
virtualization as staying enabled, which misses the intended mitigation
guidance. Reword the alert in talos-bootstrap.md near the CVE-2026-53359 note to
clearly state that the Cozystack Talos image disables nested virtualization by
default, and that users must rebuild or re-enable it if their workloads require
nested virtualization; keep the CVE and version-upgrade guidance but remove the
“stays enabled” wording.
In `@content/en/docs/v1.4/install/kubernetes/talosctl.md`:
- Around line 129-131: The Talos security alert text is missing the intended
note about Cozystack’s nested-virtualization default being disabled and how to
rebuild/re-enable it. Update the alert content in the talosctl docs to clearly
state the default-disablement and the mitigation/rebuild path, and adjust the
wording around nested virtualization so readers do not infer it remains enabled
by default. Keep the reference to the Talos v1.13.6 fix, but rewrite the final
sentence to match the Cozystack image behavior and recovery steps.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: d0c3ea3b-5e94-46e8-9e11-3261271a50e4
📒 Files selected for processing (16)
content/en/docs/next/install/kubernetes/talos-bootstrap.mdcontent/en/docs/next/install/kubernetes/talosctl.mdcontent/en/docs/v0/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v0/install/kubernetes/talosctl.mdcontent/en/docs/v1.0/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.0/install/kubernetes/talosctl.mdcontent/en/docs/v1.1/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.1/install/kubernetes/talosctl.mdcontent/en/docs/v1.2/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.2/install/kubernetes/talosctl.mdcontent/en/docs/v1.3/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.3/install/kubernetes/talosctl.mdcontent/en/docs/v1.4/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.4/install/kubernetes/talosctl.mdcontent/en/docs/v1.5/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.5/install/kubernetes/talosctl.md
✅ Files skipped from review due to trivial changes (8)
- content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md
- content/en/docs/v1.3/install/kubernetes/talosctl.md
- content/en/docs/v1.0/install/kubernetes/talos-bootstrap.md
- content/en/docs/v1.1/install/kubernetes/talosctl.md
- content/en/docs/v1.5/install/kubernetes/talosctl.md
- content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md
- content/en/docs/v1.2/install/kubernetes/talosctl.md
- content/en/docs/v0/install/kubernetes/talosctl.md
🚧 Files skipped from review as they are similar to previous changes (4)
- content/en/docs/v1.2/install/kubernetes/talos-bootstrap.md
- content/en/docs/v1.1/install/kubernetes/talos-bootstrap.md
- content/en/docs/v1.0/install/kubernetes/talosctl.md
- content/en/docs/v0/install/kubernetes/talos-bootstrap.md
| {{% alert title="Update Talos to v1.13.6 or newer (CVE-2026-53359)" color="warning" %}} | ||
| [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both are fixed in the kernel, and Talos v1.13.6 is the first release that carries both fixes — it ships Linux 6.18.38. If the image tag above resolves to an earlier release, set it to `v1.13.6` or newer. Nested virtualization stays enabled: the kernel fix removes the bug itself, so workloads that rely on nested virtualization keep working. | ||
| {{% /alert %}} |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Clarify the nested-virtualization default.
This alert still says nested virtualization stays enabled and that dependent workloads keep working, but the PR intent is to document the Cozystack Talos image default-disablement and the rebuild/re-enable path. Please reword it so readers don't miss the mitigation.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/next/install/kubernetes/talos-bootstrap.md` around lines 105
- 107, The Talos security alert in the bootstrap docs still implies nested
virtualization remains enabled, but it should instead explain the Cozystack
Talos image default-disablement and the rebuild/re-enable path. Update the alert
text in the Talos bootstrap section to clearly state the default is disabled,
and mention that users must rebuild or re-enable nested virtualization if their
workloads require it; keep the focus on the Talos version guidance and
mitigation wording around the alert block.
| {{% alert title="Update Talos to v1.13.6 or newer (CVE-2026-53359)" color="warning" %}} | ||
| [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both are fixed in the kernel, and Talos v1.13.6 is the first release that carries both fixes — it ships Linux 6.18.38. If the image tag above resolves to an earlier release, set it to `v1.13.6` or newer. Nested virtualization stays enabled: the kernel fix removes the bug itself, so workloads that rely on nested virtualization keep working. | ||
| {{% /alert %}} |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Clarify the nested-virtualization default.
This alert still says nested virtualization stays enabled and that dependent workloads keep working, but the PR intent is to document the Cozystack Talos image default-disablement and the rebuild/re-enable path. Please reword it so readers don't miss the mitigation.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/next/install/kubernetes/talosctl.md` around lines 129 - 131,
The Talos security alert text is misleading about nested virtualization, since
it currently implies it remains enabled by default. Reword the alert in
talosctl.md to clearly state the Cozystack Talos image default-disables nested
virtualization, and mention the rebuild/re-enable path so readers understand how
to restore it if needed; update the wording in the alert block that mentions
CVE-2026-53359 and Talos v1.13.6.
| {{% alert title="Update Talos to v1.13.6 or newer (CVE-2026-53359)" color="warning" %}} | ||
| [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both are fixed in the kernel, and Talos v1.13.6 is the first release that carries both fixes — it ships Linux 6.18.38. If the image tag above resolves to an earlier release, set it to `v1.13.6` or newer. Nested virtualization stays enabled: the kernel fix removes the bug itself, so workloads that rely on nested virtualization keep working. | ||
| {{% /alert %}} |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Clarify the nested-virtualization default.
This alert still says nested virtualization stays enabled and that dependent workloads keep working, but the PR intent is to document the Cozystack Talos image default-disablement and the rebuild/re-enable path. Please reword it so readers don't miss the mitigation.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md` around lines 105
- 107, The Talos security alert still describes nested virtualization as staying
enabled, which misses the intended mitigation guidance. Reword the alert in
talos-bootstrap.md near the CVE-2026-53359 note to clearly state that the
Cozystack Talos image disables nested virtualization by default, and that users
must rebuild or re-enable it if their workloads require nested virtualization;
keep the CVE and version-upgrade guidance but remove the “stays enabled”
wording.
| {{% alert title="Update Talos to v1.13.6 or newer (CVE-2026-53359)" color="warning" %}} | ||
| [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both are fixed in the kernel, and Talos v1.13.6 is the first release that carries both fixes — it ships Linux 6.18.38. If the image tag above resolves to an earlier release, set it to `v1.13.6` or newer. Nested virtualization stays enabled: the kernel fix removes the bug itself, so workloads that rely on nested virtualization keep working. | ||
| {{% /alert %}} |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Clarify the nested-virtualization default.
This alert still says nested virtualization stays enabled and that dependent workloads keep working, but the PR intent is to document the Cozystack Talos image default-disablement and the rebuild/re-enable path. Please reword it so readers don't miss the mitigation.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.4/install/kubernetes/talosctl.md` around lines 129 - 131,
The Talos security alert text is missing the intended note about Cozystack’s
nested-virtualization default being disabled and how to rebuild/re-enable it.
Update the alert content in the talosctl docs to clearly state the
default-disablement and the mitigation/rebuild path, and adjust the wording
around nested virtualization so readers do not infer it remains enabled by
default. Keep the reference to the Talos v1.13.6 fix, but rewrite the final
sentence to match the Cozystack image behavior and recovery steps.
…l fix Talos v1.13.6 is the first release carrying both kernel fixes. These docs versions install from the 1.10, 1.11 or 1.12 lines, whose newest releases ship Linux 6.12.63, 6.12.62 and 6.18.35, while the fixes landed in 6.12.95 and 6.18.38. Say so, and name the only complete answer: move to a release that installs from the 1.13 line, then pin the image tag at v1.13.6 or newer. The pre-1.13 pages hardcode a 1.10 image tag while the release itself installs from a later line, so their note names no single line. For readers who cannot upgrade, disabling KVM nested virtualization is still the one available mitigation, so keep it, and separate the ways it goes wrong, because they do not fail alike. On Talos 1.12 and newer a config carrying install.extraKernelArgs is rejected outright unless install.grubUseUKICmdline is false, and talosctl gen config writes that field as true -- Talos says so. On systemd-boot, which a fresh UEFI install of Talos 1.10 or newer uses, the kernel command line lives inside the UKI, and the arguments are accepted and then ignored with nothing reported at all. Point the reader at /proc/cmdline rather than at an assumption. Signed-off-by: Aleksei Sviridkin <f@lex.la>
fc8d240 to
ebd8f09
Compare
Talos v1.13.6 shipped on 2026-07-09 with Linux 6.18.38, the first kernel carrying the fixes for both CVE-2026-53359 and its sibling CVE-2026-46113. The advisory was written while no fixed Talos release existed, so it recommended disabling KVM nested virtualization and stated that Cozystack VMs do not need the feature. Both claims are now wrong: the bug is fixed in the kernel, and taking nested virtualization away from workloads that rely on it buys nothing. Lead with an update note, so a reader who acted on the first version learns the recommendation changed rather than finding a silently rewritten page. Say which Talos lines carry the fix and which never will, recommend the upgrade, and keep disabling nested virtualization only as a stop-gap for clusters that cannot upgrade yet. Non-Talos hosts get a fix path too -- their distribution's kernel update -- named without a version, because which stable series carry both patches has not been established here and a security advisory is no place to guess. Correct the stop-gap's caveats, which conflated two unlike failures. Omitting grubUseUKICmdline: false on Talos 1.12 and newer does not quietly drop the kernel arguments -- Talos rejects the config outright, and says so. The quiet failure is systemd-boot, where the command line lives inside the UKI and the arguments are accepted and then ignored with nothing reported; point the reader at /proc/cmdline instead of at an assumption. Drop the automation section: it advertised skills that prescribe and verify a mitigation this advisory no longer recommends. Signed-off-by: Aleksei Sviridkin <f@lex.la>
3cce676 to
8a84587
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md`:
- Around line 105-108: Replace the current Talos node-level workaround in
talos-bootstrap.md with the image-level mitigation for v1.3+: update the note to
point readers at the Cozystack Talos image default-disable approach and rebuild
flow instead of `machine.install.extraKernelArgs` /
`machine.install.grubUseUKICmdline`. Keep the guidance aligned with the existing
Talos/Cozystack release language in this section, and remove the stale per-node
boot-argument instructions from this note.
In `@content/en/docs/v1.3/install/kubernetes/talosctl.md`:
- Around line 129-132: Replace the current Talos 1.12 per-node kernel-args
workaround in the advisory note with the image-level mitigation for v1.3+:
update the warning text in talosctl.md to describe disabling the risky behavior
in the Cozystack Talos image default and rebuilding the image instead of using
machine.install.extraKernelArgs or machine.install.grubUseUKICmdline. Keep the
focus on the image flow and remove the stale node-level guidance so readers are
directed to the correct Talos image/tag-based fix.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 93e7bed0-93a2-4c48-a1cf-9cacbcc5bbff
📒 Files selected for processing (11)
content/en/blog/2026-07-07-security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/index.mdcontent/en/docs/v0/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v0/install/kubernetes/talosctl.mdcontent/en/docs/v1.0/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.0/install/kubernetes/talosctl.mdcontent/en/docs/v1.1/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.1/install/kubernetes/talosctl.mdcontent/en/docs/v1.2/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.2/install/kubernetes/talosctl.mdcontent/en/docs/v1.3/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.3/install/kubernetes/talosctl.md
| {{% alert title="No Talos 1.12 release fixes CVE-2026-53359" color="warning" %}} | ||
| [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both fixes live in the kernel, and no Talos 1.12 release carries the one for CVE-2026-53359: the newest, v1.12.9, ships Linux 6.18.35, while that fix landed in 6.18.38. The complete fix is Talos v1.13.6 or newer: upgrade to a Cozystack release that installs from the Talos 1.13 line, then set the Talos image tag to `v1.13.6` or newer. | ||
|
|
||
| If you cannot upgrade and you run untrusted guests, disabling KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) removes the entry point the published exploit relies on. Treat it as a stop-gap rather than a fix, and mind where it applies. On Talos 1.12 and newer, `machine.install.extraKernelArgs` also needs `machine.install.grubUseUKICmdline: false` next to it: `talosctl gen config` writes that field as `true`, and Talos rejects a config carrying both with `install.extraKernelArgs and install.grubUseUKICmdline can't be used together`. On Talos 1.10 and 1.11 the field does not exist and is not needed. That rejection is loud; the remaining failure is not. Even once the config is accepted, the arguments only reach a GRUB-booted node: a fresh UEFI install of Talos 1.10 or newer boots through systemd-boot, where the kernel command line lives inside the Unified Kernel Image, and there Talos takes the arguments without complaint and ignores them. On those nodes the arguments have to be baked into the boot assets with [Image Factory or Imager](https://www.talos.dev/v1.12/talos-guides/install/boot-assets/). Either way, check `/proc/cmdline` on the node afterwards rather than assuming the mitigation took. |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Switch this note to the image-level mitigation.
This still documents the per-node extraKernelArgs/grubUseUKICmdline workaround, but the PR objective for v1.3+ is to replace that path with the Cozystack Talos image default-disable note and the rebuild flow. Leaving the old workaround here will keep sending readers to stale instructions.
Suggested rewrite
-If you cannot upgrade and you run untrusted guests, disabling KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) removes the entry point the published exploit relies on. Treat it as a stop-gap rather than a fix, and mind where it applies. On Talos 1.12 and newer, `machine.install.extraKernelArgs` also needs `machine.install.grubUseUKICmdline: false` next to it: `talosctl gen config` writes that field as `true`, and Talos rejects a config carrying both with `install.extraKernelArgs and install.grubUseUKICmdline can't be used together`. On Talos 1.10 and 1.11 the field does not exist and is not needed. That rejection is loud; the remaining failure is not. Even once the config is accepted, the arguments only reach a GRUB-booted node: a fresh UEFI install of Talos 1.10 or newer boots through systemd-boot, where the kernel command line lives inside the Unified Kernel Image, and there Talos takes the arguments without complaint and ignores them. On those nodes the arguments have to be baked into the boot assets with [Image Factory or Imager](https://www.talos.dev/v1.12/talos-guides/install/boot-assets/). Either way, check `/proc/cmdline` on the node afterwards rather than assuming the mitigation took.
+The Cozystack Talos image in this release line disables nested virtualization by default. If you need to re-enable it, rebuild the image with the desired kernel arguments baked into the boot assets and verify `/proc/cmdline`.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| {{% alert title="No Talos 1.12 release fixes CVE-2026-53359" color="warning" %}} | |
| [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both fixes live in the kernel, and no Talos 1.12 release carries the one for CVE-2026-53359: the newest, v1.12.9, ships Linux 6.18.35, while that fix landed in 6.18.38. The complete fix is Talos v1.13.6 or newer: upgrade to a Cozystack release that installs from the Talos 1.13 line, then set the Talos image tag to `v1.13.6` or newer. | |
| If you cannot upgrade and you run untrusted guests, disabling KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) removes the entry point the published exploit relies on. Treat it as a stop-gap rather than a fix, and mind where it applies. On Talos 1.12 and newer, `machine.install.extraKernelArgs` also needs `machine.install.grubUseUKICmdline: false` next to it: `talosctl gen config` writes that field as `true`, and Talos rejects a config carrying both with `install.extraKernelArgs and install.grubUseUKICmdline can't be used together`. On Talos 1.10 and 1.11 the field does not exist and is not needed. That rejection is loud; the remaining failure is not. Even once the config is accepted, the arguments only reach a GRUB-booted node: a fresh UEFI install of Talos 1.10 or newer boots through systemd-boot, where the kernel command line lives inside the Unified Kernel Image, and there Talos takes the arguments without complaint and ignores them. On those nodes the arguments have to be baked into the boot assets with [Image Factory or Imager](https://www.talos.dev/v1.12/talos-guides/install/boot-assets/). Either way, check `/proc/cmdline` on the node afterwards rather than assuming the mitigation took. | |
| {{% alert title="No Talos 1.12 release fixes CVE-2026-53359" color="warning" %}} | |
| [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both fixes live in the kernel, and no Talos 1.12 release carries the one for CVE-2026-53359: the newest, v1.12.9, ships Linux 6.18.35, while that fix landed in 6.18.38. The complete fix is Talos v1.13.6 or newer: upgrade to a Cozystack release that installs from the Talos 1.13 line, then set the Talos image tag to `v1.13.6` or newer. | |
| The Cozystack Talos image in this release line disables nested virtualization by default. If you need to re-enable it, rebuild the image with the desired kernel arguments baked into the boot assets and verify `/proc/cmdline`. |
🧰 Tools
🪛 LanguageTool
[locale-violation] ~108-~108: In American English, ‘afterward’ is the preferred variant. ‘Afterwards’ is more commonly used in British English and other dialects.
Context: ... way, check /proc/cmdline on the node afterwards rather than assuming the mitigation too...
(AFTERWARDS_US)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md` around lines 105
- 108, Replace the current Talos node-level workaround in talos-bootstrap.md
with the image-level mitigation for v1.3+: update the note to point readers at
the Cozystack Talos image default-disable approach and rebuild flow instead of
`machine.install.extraKernelArgs` / `machine.install.grubUseUKICmdline`. Keep
the guidance aligned with the existing Talos/Cozystack release language in this
section, and remove the stale per-node boot-argument instructions from this
note.
| {{% alert title="No Talos 1.12 release fixes CVE-2026-53359" color="warning" %}} | ||
| [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both fixes live in the kernel, and no Talos 1.12 release carries the one for CVE-2026-53359: the newest, v1.12.9, ships Linux 6.18.35, while that fix landed in 6.18.38. The complete fix is Talos v1.13.6 or newer: upgrade to a Cozystack release that installs from the Talos 1.13 line, then set the Talos image tag to `v1.13.6` or newer. | ||
|
|
||
| If you cannot upgrade and you run untrusted guests, disabling KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) removes the entry point the published exploit relies on. Treat it as a stop-gap rather than a fix, and mind where it applies. On Talos 1.12 and newer, `machine.install.extraKernelArgs` also needs `machine.install.grubUseUKICmdline: false` next to it: `talosctl gen config` writes that field as `true`, and Talos rejects a config carrying both with `install.extraKernelArgs and install.grubUseUKICmdline can't be used together`. On Talos 1.10 and 1.11 the field does not exist and is not needed. That rejection is loud; the remaining failure is not. Even once the config is accepted, the arguments only reach a GRUB-booted node: a fresh UEFI install of Talos 1.10 or newer boots through systemd-boot, where the kernel command line lives inside the Unified Kernel Image, and there Talos takes the arguments without complaint and ignores them. On those nodes the arguments have to be baked into the boot assets with [Image Factory or Imager](https://www.talos.dev/v1.12/talos-guides/install/boot-assets/). Either way, check `/proc/cmdline` on the node afterwards rather than assuming the mitigation took. |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Switch this note to the image-level mitigation.
This still documents the per-node extraKernelArgs/grubUseUKICmdline workaround, but the PR objective for v1.3+ is to replace that path with the Cozystack Talos image default-disable note and the rebuild flow. Leaving the old workaround here will keep sending readers to stale instructions.
Suggested rewrite
-If you cannot upgrade and you run untrusted guests, disabling KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) removes the entry point the published exploit relies on. Treat it as a stop-gap rather than a fix, and mind where it applies. On Talos 1.12 and newer, `machine.install.extraKernelArgs` also needs `machine.install.grubUseUKICmdline: false` next to it: `talosctl gen config` writes that field as `true`, and Talos rejects a config carrying both with `install.extraKernelArgs and install.grubUseUKICmdline can't be used together`. On Talos 1.10 and 1.11 the field does not exist and is not needed. That rejection is loud; the remaining failure is not. Even once the config is accepted, the arguments only reach a GRUB-booted node: a fresh UEFI install of Talos 1.10 or newer boots through systemd-boot, where the kernel command line lives inside the Unified Kernel Image, and there Talos takes the arguments without complaint and ignores them. On those nodes the arguments have to be baked into the boot assets with [Image Factory or Imager](https://www.talos.dev/v1.12/talos-guides/install/boot-assets/). Either way, check `/proc/cmdline` on the node afterwards rather than assuming the mitigation took.
+The Cozystack Talos image in this release line disables nested virtualization by default. If you need to re-enable it, rebuild the image with the desired kernel arguments baked into the boot assets and verify `/proc/cmdline`.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| {{% alert title="No Talos 1.12 release fixes CVE-2026-53359" color="warning" %}} | |
| [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both fixes live in the kernel, and no Talos 1.12 release carries the one for CVE-2026-53359: the newest, v1.12.9, ships Linux 6.18.35, while that fix landed in 6.18.38. The complete fix is Talos v1.13.6 or newer: upgrade to a Cozystack release that installs from the Talos 1.13 line, then set the Talos image tag to `v1.13.6` or newer. | |
| If you cannot upgrade and you run untrusted guests, disabling KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) removes the entry point the published exploit relies on. Treat it as a stop-gap rather than a fix, and mind where it applies. On Talos 1.12 and newer, `machine.install.extraKernelArgs` also needs `machine.install.grubUseUKICmdline: false` next to it: `talosctl gen config` writes that field as `true`, and Talos rejects a config carrying both with `install.extraKernelArgs and install.grubUseUKICmdline can't be used together`. On Talos 1.10 and 1.11 the field does not exist and is not needed. That rejection is loud; the remaining failure is not. Even once the config is accepted, the arguments only reach a GRUB-booted node: a fresh UEFI install of Talos 1.10 or newer boots through systemd-boot, where the kernel command line lives inside the Unified Kernel Image, and there Talos takes the arguments without complaint and ignores them. On those nodes the arguments have to be baked into the boot assets with [Image Factory or Imager](https://www.talos.dev/v1.12/talos-guides/install/boot-assets/). Either way, check `/proc/cmdline` on the node afterwards rather than assuming the mitigation took. | |
| {{% alert title="No Talos 1.12 release fixes CVE-2026-53359" color="warning" %}} | |
| [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both fixes live in the kernel, and no Talos 1.12 release carries the one for CVE-2026-53359: the newest, v1.12.9, ships Linux 6.18.35, while that fix landed in 6.18.38. The complete fix is Talos v1.13.6 or newer: upgrade to a Cozystack release that installs from the Talos 1.13 line, then set the Talos image tag to `v1.13.6` or newer. | |
| The Cozystack Talos image in this release line disables nested virtualization by default. If you need to re-enable it, rebuild the image with the desired kernel arguments baked into the boot assets and verify `/proc/cmdline`. |
🧰 Tools
🪛 LanguageTool
[locale-violation] ~132-~132: In American English, ‘afterward’ is the preferred variant. ‘Afterwards’ is more commonly used in British English and other dialects.
Context: ... way, check /proc/cmdline on the node afterwards rather than assuming the mitigation too...
(AFTERWARDS_US)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.3/install/kubernetes/talosctl.md` around lines 129 - 132,
Replace the current Talos 1.12 per-node kernel-args workaround in the advisory
note with the image-level mitigation for v1.3+: update the warning text in
talosctl.md to describe disabling the risky behavior in the Cozystack Talos
image default and rebuilding the image instead of using
machine.install.extraKernelArgs or machine.install.grubUseUKICmdline. Keep the
focus on the image flow and remove the stale node-level guidance so readers are
directed to the correct Talos image/tag-based fix.
What this PR does
Reframes the CVE-2026-53359 ("Januscape") KVM nested-virtualization mitigation in the Talos install docs around the image, not a per-user machine-config snippet.
kvm_intel/kvm_amdare built into the Talos kernel, sonested=is only settable on the kernel command line. On UEFI/systemd-boot that command line is baked into the UKI, so a machine-configinstall.extraKernelArgsis silently ignored — the disable has to be baked into the boot assets at image build time. That is done in cozystack/cozystack#3240; these docs point at it instead of teaching a config-side edit that fails on UEFI and is redundant once the image carries the bake.Per served docs version:
version-pinshortcode. Removed thegrubUseUKICmdline+extraKernelArgssnippet and replaced it with a note that the Cozystack Talos image disables nested virtualization by default, plus how to re-enable (rebuild the image, since the setting lives in the boot assets).grubUseUKICmdlinefield. These don't claim the image handles it: an honest note that a config-side override works only on BIOS/GRUB and is ignored on UEFI/systemd-boot, pointing at the security advisory and recommending an upgrade.The original commits are preserved (rebased onto main); the rework is added on top.
Ship together with cozystack/cozystack#3240. The "image disables nested virt by default" note on the current versions is correct as long as this PR lands in the same release as the image bake.
Related PRs
Coordinated CVE-2026-53359 mitigation across Cozystack repos:
cozystack/genericpresetsScreenshots
N/A — no UI changes.
Release note
Summary by CodeRabbit
/proc/cmdline).