Skip to content

docs: disable KVM nested virtualization in Talos install configs (CVE-2026-53359)#602

Open
Andrei Kvapil (kvaps) wants to merge 5 commits into
mainfrom
security/cve-2026-53359-disable-nested-virt
Open

docs: disable KVM nested virtualization in Talos install configs (CVE-2026-53359)#602
Andrei Kvapil (kvaps) wants to merge 5 commits into
mainfrom
security/cve-2026-53359-disable-nested-virt

Conversation

@kvaps

@kvaps Andrei Kvapil (kvaps) commented Jul 7, 2026

Copy link
Copy Markdown
Member

Summary

Adds the KVM nested-virtualization disable to the Talos install machine-config examples across all docs versions, to mitigate CVE-2026-53359 ("Januscape"), a guest-to-host escape in the Linux KVM/x86 shadow MMU (a use-after-free in kvm_mmu_get_child_sp() from shadow-page role confusion).

The vulnerable code path is only reachable when a guest is allowed to use nested virtualization; disabling it on the host removes the attack surface regardless of the node kernel patch level. Fixed upstream in 81ccda30b4e8 / stable 6.12.95, 6.6.144, 6.1.177, 6.18.38, 7.1.3 (2026-07-04); no released Talos ships the fixed kernel yet.

Change

Adds kvm_intel.nested=0 and kvm_amd.nested=0 to machine.install.extraKernelArgs in install/kubernetes/talos-bootstrap.md and talosctl.md across every docs version (next, v0, v1.0v1.5). Both args are set so a single config works on Intel and AMD hosts. A reader who needs nested virt can remove them once the node kernel is patched.

Part of a coordinated set of PRs (see Related PRs below).

Related PRs

Coordinated CVE-2026-53359 (Januscape) nested-virtualization mitigation across Cozystack repos:

Summary by CodeRabbit

  • Documentation
    • Updated Kubernetes installation guides across Talos versions to add warning/info callouts about nested virtualization being disabled by default in the Cozystack Talos image.
    • Clarified that machine.install.extraKernelArgs changes to kvm_intel.nested=0 / kvm_amd.nested=0 are reliably effective on BIOS/GRUB, but can be silently ignored on UEFI/systemd-boot due to UKI boot command-line baking.
    • Included CVE-2026-53359 (“Januscape”) security guidance and upgrade/custom-image recommendations.

@netlify

netlify Bot commented Jul 7, 2026

Copy link
Copy Markdown

Deploy Preview for cozystack ready!

Name Link
🔨 Latest commit c589dd8
🔍 Latest deploy log https://app.netlify.com/projects/cozystack/deploys/6a4e5f83d2b76d00087b0ba6
😎 Deploy Preview https://deploy-preview-602--cozystack.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f30b8bf5-d79a-4ab3-bb67-a5cbe1ad4bb6

📥 Commits

Reviewing files that changed from the base of the PR and between 642dbb2 and c589dd8.

📒 Files selected for processing (16)
  • content/en/docs/next/install/kubernetes/talos-bootstrap.md
  • content/en/docs/next/install/kubernetes/talosctl.md
  • content/en/docs/v0/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v0/install/kubernetes/talosctl.md
  • content/en/docs/v1.0/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.0/install/kubernetes/talosctl.md
  • content/en/docs/v1.1/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.1/install/kubernetes/talosctl.md
  • content/en/docs/v1.2/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.2/install/kubernetes/talosctl.md
  • content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.3/install/kubernetes/talosctl.md
  • content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.4/install/kubernetes/talosctl.md
  • content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.5/install/kubernetes/talosctl.md
✅ Files skipped from review due to trivial changes (6)
  • content/en/docs/v1.2/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.1/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.0/install/kubernetes/talosctl.md
  • content/en/docs/v1.2/install/kubernetes/talosctl.md
  • content/en/docs/v1.0/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.1/install/kubernetes/talosctl.md
🚧 Files skipped from review as they are similar to previous changes (1)
  • content/en/docs/v0/install/kubernetes/talos-bootstrap.md

📝 Walkthrough

Walkthrough

Versioned Talos install guides now add warning callouts about Cozystack Talos images disabling nested virtualization by default, referencing CVE-2026-53359 and noting that machine.install.extraKernelArgs overrides are ignored on UEFI/systemd-boot nodes.

Changes

Talos install docs warning updates

Layer / File(s) Summary
next docs warning updates
content/en/docs/next/install/kubernetes/talos-bootstrap.md, content/en/docs/next/install/kubernetes/talosctl.md
Adds warning alerts describing default nested virtualization disablement, the CVE reference, and the UEFI/systemd-boot override behavior.
v0 docs warning updates
content/en/docs/v0/install/kubernetes/talos-bootstrap.md, content/en/docs/v0/install/kubernetes/talosctl.md
Adds warning alerts describing the CVE reference and the BIOS/GRUB versus UEFI/systemd-boot behavior for nested-virtualization settings.
v1.0 docs warning updates
content/en/docs/v1.0/install/kubernetes/talos-bootstrap.md, content/en/docs/v1.0/install/kubernetes/talosctl.md
Adds warning alerts describing the CVE reference and the boot-mode-specific behavior of machine.install.extraKernelArgs.
v1.1 docs warning updates
content/en/docs/v1.1/install/kubernetes/talos-bootstrap.md, content/en/docs/v1.1/install/kubernetes/talosctl.md
Adds warning alerts describing the pinned image mitigation status and the BIOS/GRUB versus UEFI/systemd-boot behavior.
v1.2 docs warning updates
content/en/docs/v1.2/install/kubernetes/talos-bootstrap.md, content/en/docs/v1.2/install/kubernetes/talosctl.md
Adds warning alerts describing the CVE reference and the boot-mode-specific handling of nested-virtualization settings.
v1.3 docs warning updates
content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md, content/en/docs/v1.3/install/kubernetes/talosctl.md
Adds warning alerts describing default nested virtualization disablement and the ignored override behavior on UEFI/systemd-boot nodes.
v1.4 docs warning updates
content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md, content/en/docs/v1.4/install/kubernetes/talosctl.md
Adds warning alerts describing default nested virtualization disablement and the UEFI/systemd-boot boot-asset behavior.
v1.5 docs warning updates
content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md, content/en/docs/v1.5/install/kubernetes/talosctl.md
Adds warning alerts describing default nested virtualization disablement and the need for a custom image when nested virtualization is required.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Possibly related PRs

Suggested reviewers: lllamnyp, IvanHunters

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: updating Talos install docs to disable KVM nested virtualization for CVE-2026-53359.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch security/cve-2026-53359-disable-nested-virt

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the Talos installation documentation across multiple versions to add kernel arguments (kvm_intel.nested=0 and kvm_amd.nested=0) to mitigate CVE-2026-53359 by disabling KVM nested virtualization. The review feedback points out that on UEFI-booted systems using Talos 1.10+, these extraKernelArgs are silently ignored due to the use of Unified Kernel Images (UKIs). It is recommended to add a warning note in the documentation advising users to bake these arguments into the boot assets using the Image Factory or Imager instead.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines +68 to +71
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

Starting with Talos 1.10, fresh installations on UEFI systems use systemd-boot and Unified Kernel Images (UKIs). On these systems, the .machine.install.extraKernelArgs field in the machine configuration is completely ignored because kernel arguments are embedded directly within the UKI.

Since all documentation versions from v0 (using Talos v1.10.3) to next (using Talos v1.13.0) target Talos 1.10+, this mitigation will be silently ignored on any UEFI-booted nodes, leaving them vulnerable to CVE-2026-53359.

To ensure users are actually protected, please add a warning note in the documentation explaining that on UEFI-booted systems, these kernel arguments must be baked into the boot assets using the Image Factory or Imager (via customization schematics) instead of relying on extraKernelArgs in the machine configuration.

Suggested change
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
# Note: This is ignored on UEFI systems using Talos 1.10+ (use Image Factory instead)
- kvm_intel.nested=0
- kvm_amd.nested=0

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@content/en/docs/next/install/kubernetes/talosctl.md`:
- Around line 88-94: The Talos patch example has an invalid YAML structure
because the extraKernelArgs list is not nested under its key. Update the example
in the talosctl docs so extraKernelArgs and its commented kernel args are
indented one level deeper beneath grubUseUKICmdline, keeping the list items
aligned under extraKernelArgs for valid YAML.

In `@content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md`:
- Around line 68-74: The Talos bootstrap YAML example has the extraKernelArgs
list at the wrong indentation level, so the sequence items are not nested under
the key. Update the talos-bootstrap.md example so extraKernelArgs: is followed
by an indented comment and both kvm_intel.nested=0 and kvm_amd.nested=0 entries
one level deeper, keeping the block aligned with the surrounding YAML structure.

In `@content/en/docs/v1.3/install/kubernetes/talosctl.md`:
- Around line 88-94: The Talos install example has invalid YAML because the
extraKernelArgs list is not nested under its key. Update the talosctl markdown
snippet so the comments and both kernel argument entries are indented one level
deeper under extraKernelArgs, keeping grubUseUKICmdline in the same block and
preserving the example’s structure.

In `@content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md`:
- Around line 68-74: The Talos bootstrap YAML example has a malformed
`extraKernelArgs` block because the comment and both `kvm_intel.nested=0` /
`kvm_amd.nested=0` entries are not indented under `extraKernelArgs:`. Update the
`talos-bootstrap.md` snippet so the `extraKernelArgs` key in the bootstrap
example contains an indented list, keeping the comment and both list items
nested beneath it.

In `@content/en/docs/v1.4/install/kubernetes/talosctl.md`:
- Around line 88-94: The Talos install example has an invalid YAML structure
because the extraKernelArgs sequence items are not nested under the
extraKernelArgs key. Update the example in the talosctl install section so the
comment and both kernel args are indented one level deeper under
extraKernelArgs, keeping the surrounding grubUseUKICmdline setting unchanged.

In `@content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md`:
- Around line 68-74: The Talos bootstrap example has an invalid YAML structure
because the `extraKernelArgs` sequence items are not nested under the
`extraKernelArgs` key. Update the `talos-bootstrap.md` example so the comment
and both `kvm_intel.nested=0` and `kvm_amd.nested=0` entries are indented one
level under `extraKernelArgs`, keeping the surrounding `grubUseUKICmdline` block
in `talos-bootstrap` unchanged.

In `@content/en/docs/v1.5/install/kubernetes/talosctl.md`:
- Around line 88-94: The YAML example in talosctl.md has the extraKernelArgs
list at the wrong indentation level, making the patch invalid. Update the Talos
config snippet so the extraKernelArgs key in the affected block has its comment
and both kernel arguments nested one level deeper under it, keeping the
surrounding grubUseUKICmdline example unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 382f866a-9b3e-4ada-823c-5c6423541a60

📥 Commits

Reviewing files that changed from the base of the PR and between f5e48b1 and 642dbb2.

📒 Files selected for processing (16)
  • content/en/docs/next/install/kubernetes/talos-bootstrap.md
  • content/en/docs/next/install/kubernetes/talosctl.md
  • content/en/docs/v0/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v0/install/kubernetes/talosctl.md
  • content/en/docs/v1.0/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.0/install/kubernetes/talosctl.md
  • content/en/docs/v1.1/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.1/install/kubernetes/talosctl.md
  • content/en/docs/v1.2/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.2/install/kubernetes/talosctl.md
  • content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.3/install/kubernetes/talosctl.md
  • content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.4/install/kubernetes/talosctl.md
  • content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.5/install/kubernetes/talosctl.md

Comment on lines +88 to +94
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

The list items are rendered at the same indentation level as extraKernelArgs:, so this patch example is not valid YAML as written. Please nest the comment and both kernel args one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/next/install/kubernetes/talosctl.md` around lines 88 - 94,
The Talos patch example has an invalid YAML structure because the
extraKernelArgs list is not nested under its key. Update the example in the
talosctl docs so extraKernelArgs and its commented kernel args are indented one
level deeper beneath grubUseUKICmdline, keeping the list items aligned under
extraKernelArgs for valid YAML.

Comment on lines +68 to +74
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

This block reads as if the sequence items are at the same level as extraKernelArgs:, which breaks the YAML example. Please indent the comment and both - kvm_* entries one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md` around lines 68 -
74, The Talos bootstrap YAML example has the extraKernelArgs list at the wrong
indentation level, so the sequence items are not nested under the key. Update
the talos-bootstrap.md example so extraKernelArgs: is followed by an indented
comment and both kvm_intel.nested=0 and kvm_amd.nested=0 entries one level
deeper, keeping the block aligned with the surrounding YAML structure.

Comment on lines +88 to +94
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

As written, the list items sit alongside extraKernelArgs: instead of nesting under it, so the example is not valid YAML. Please push the comment and both kernel args one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.3/install/kubernetes/talosctl.md` around lines 88 - 94,
The Talos install example has invalid YAML because the extraKernelArgs list is
not nested under its key. Update the talosctl markdown snippet so the comments
and both kernel argument entries are indented one level deeper under
extraKernelArgs, keeping grubUseUKICmdline in the same block and preserving the
example’s structure.

Comment on lines +68 to +74
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

The current indentation makes the list items look sibling-level to extraKernelArgs:, which breaks the YAML example. Please indent the comment and both - kvm_* entries one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md` around lines 68 -
74, The Talos bootstrap YAML example has a malformed `extraKernelArgs` block
because the comment and both `kvm_intel.nested=0` / `kvm_amd.nested=0` entries
are not indented under `extraKernelArgs:`. Update the `talos-bootstrap.md`
snippet so the `extraKernelArgs` key in the bootstrap example contains an
indented list, keeping the comment and both list items nested beneath it.

Comment on lines +88 to +94
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

The example needs the sequence items nested under extraKernelArgs:; otherwise it is invalid YAML for readers copying it into a patch file. Please indent the comment and both kernel args one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.4/install/kubernetes/talosctl.md` around lines 88 - 94,
The Talos install example has an invalid YAML structure because the
extraKernelArgs sequence items are not nested under the extraKernelArgs key.
Update the example in the talosctl install section so the comment and both
kernel args are indented one level deeper under extraKernelArgs, keeping the
surrounding grubUseUKICmdline setting unchanged.

Comment on lines +68 to +74
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

As rendered here, the sequence items are not nested under extraKernelArgs:, so the example will not parse as YAML. Please indent the comment and both - kvm_* entries one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md` around lines 68 -
74, The Talos bootstrap example has an invalid YAML structure because the
`extraKernelArgs` sequence items are not nested under the `extraKernelArgs` key.
Update the `talos-bootstrap.md` example so the comment and both
`kvm_intel.nested=0` and `kvm_amd.nested=0` entries are indented one level under
`extraKernelArgs`, keeping the surrounding `grubUseUKICmdline` block in
`talos-bootstrap` unchanged.

Comment on lines +88 to +94
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

The sequence items need to be nested under extraKernelArgs:; otherwise the patch example is invalid YAML. Please indent the comment and both kernel args one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.5/install/kubernetes/talosctl.md` around lines 88 - 94,
The YAML example in talosctl.md has the extraKernelArgs list at the wrong
indentation level, making the patch invalid. Update the Talos config snippet so
the extraKernelArgs key in the affected block has its comment and both kernel
arguments nested one level deeper under it, keeping the surrounding
grubUseUKICmdline example unchanged.

@IvanHunters IvanHunters left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The mitigation is missing on four docs versions that ship a Januscape-affected Talos kernel. The diff patches only next, v1.3, v1.4, v1.5, but these also target vulnerable kernels and are left unmitigated:

  • v0 -> Talos v1.11.6
  • v1.0 -> Talos v1.12.1
  • v1.1 -> Talos v1.12.1
  • v1.2 -> Talos v1.12.6

All predate the fixed kernel. The description says the change lands "across every docs version (next, v0, v1.0-v1.5)", which doesn't match the files touched.

Fix, minding per-version differences:

  • v0 (Talos 1.11): add extraKernelArgs: [kvm_intel.nested=0, kvm_amd.nested=0] only — 1.11 has no grubUseUKICmdline field.
  • v1.0/v1.1/v1.2 (Talos 1.12): add extraKernelArgs + grubUseUKICmdline: false, same as v1.3+.

Note the older docs hardcode the talos image tag, so the block can't be copied verbatim (the image line differs).

Andrei Kvapil (kvaps) and others added 5 commits July 8, 2026 17:10
…-2026-53359)

Add kvm_intel.nested=0 and kvm_amd.nested=0 to machine.install.extraKernelArgs in the Talos install machine-config examples across all docs versions, to mitigate CVE-2026-53359 (Januscape), a KVM guest-to-host escape reachable only when nested virtualization is exposed to the guest.

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
Assisted-By: Claude <noreply@anthropic.com>
… apply (CVE-2026-53359)

extraKernelArgs is rejected/ignored under the UKI cmdline on Talos >=1.12; pin grubUseUKICmdline=false in the >=1.12 docs (next, v1.3-v1.5) so the mitigation actually takes effect.

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
Assisted-By: Claude <noreply@anthropic.com>
)

On Talos <1.12 machine.install.extraKernelArgs is a no-op on UEFI/UKI nodes and grubUseUKICmdline does not exist to opt out, so the snippet did nothing on modern hardware. Remove it from the v0-v1.2 guides (Talos v1.10.3); ≥1.12 guides keep the working grubUseUKICmdline=false + extraKernelArgs form.

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
Assisted-By: Claude <noreply@anthropic.com>
…nstall guides

The KVM nested-virtualization mitigation for CVE-2026-53359 ("Januscape")
belongs in the Cozystack Talos image, not in every user's machine config.
kvm_intel/kvm_amd are built into the kernel, so nested= is only settable on
the kernel command line, and on UEFI/systemd-boot that command line is baked
into the UKI — a machine-config extraKernelArgs override is silently ignored
there. The image disables nested virtualization by default (baked into the
boot assets at build time), which makes the config-side snippet both
UEFI-ineffective and redundant.

Drop the grubUseUKICmdline/extraKernelArgs snippet from the next, v1.3, v1.4
and v1.5 install guides and replace it with a note that the image disables
nested virtualization by default, plus an honest pointer on re-enabling it
(rebuild the image, since the setting lives in the boot assets).

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
…ides

The v0, v1.0, v1.1 and v1.2 install guides pin an older Cozystack Talos
image (v1.10.3) that predates the CVE-2026-53359 ("Januscape") nested-
virtualization mitigation and does not disable it. These Talos releases have
no grubUseUKICmdline field, and machine.install.extraKernelArgs is a no-op on
UEFI/systemd-boot (the command line is baked into the UKI), so an inline
config snippet would silently fail on modern hardware.

Add an honest note to each guide: the config-side override works only on
BIOS/GRUB nodes, and for a reliable fix readers should follow the security
advisory or upgrade to a current release whose Talos image disables nested
virtualization by default.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
@lexfrei Aleksei Sviridkin (lexfrei) force-pushed the security/cve-2026-53359-disable-nested-virt branch from a593dc6 to c589dd8 Compare July 8, 2026 14:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants