docs: disable KVM nested virtualization in Talos install configs (CVE-2026-53359)#602
docs: disable KVM nested virtualization in Talos install configs (CVE-2026-53359)#602Andrei Kvapil (kvaps) wants to merge 5 commits into
Conversation
✅ Deploy Preview for cozystack ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
📝 WalkthroughWalkthroughVersioned Talos install guides now add warning callouts about Cozystack Talos images disabling nested virtualization by default, referencing CVE-2026-53359 and noting that ChangesTalos install docs warning updates
Estimated code review effort: 1 (Trivial) | ~5 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request updates the Talos installation documentation across multiple versions to add kernel arguments (kvm_intel.nested=0 and kvm_amd.nested=0) to mitigate CVE-2026-53359 by disabling KVM nested virtualization. The review feedback points out that on UEFI-booted systems using Talos 1.10+, these extraKernelArgs are silently ignored due to the use of Unified Kernel Images (UKIs). It is recommended to add a warning note in the documentation advising users to bake these arguments into the boot assets using the Image Factory or Imager instead.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
Starting with Talos 1.10, fresh installations on UEFI systems use systemd-boot and Unified Kernel Images (UKIs). On these systems, the .machine.install.extraKernelArgs field in the machine configuration is completely ignored because kernel arguments are embedded directly within the UKI.
Since all documentation versions from v0 (using Talos v1.10.3) to next (using Talos v1.13.0) target Talos 1.10+, this mitigation will be silently ignored on any UEFI-booted nodes, leaving them vulnerable to CVE-2026-53359.
To ensure users are actually protected, please add a warning note in the documentation explaining that on UEFI-booted systems, these kernel arguments must be baked into the boot assets using the Image Factory or Imager (via customization schematics) instead of relying on extraKernelArgs in the machine configuration.
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| # Note: This is ignored on UEFI systems using Talos 1.10+ (use Image Factory instead) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
Actionable comments posted: 7
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@content/en/docs/next/install/kubernetes/talosctl.md`:
- Around line 88-94: The Talos patch example has an invalid YAML structure
because the extraKernelArgs list is not nested under its key. Update the example
in the talosctl docs so extraKernelArgs and its commented kernel args are
indented one level deeper beneath grubUseUKICmdline, keeping the list items
aligned under extraKernelArgs for valid YAML.
In `@content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md`:
- Around line 68-74: The Talos bootstrap YAML example has the extraKernelArgs
list at the wrong indentation level, so the sequence items are not nested under
the key. Update the talos-bootstrap.md example so extraKernelArgs: is followed
by an indented comment and both kvm_intel.nested=0 and kvm_amd.nested=0 entries
one level deeper, keeping the block aligned with the surrounding YAML structure.
In `@content/en/docs/v1.3/install/kubernetes/talosctl.md`:
- Around line 88-94: The Talos install example has invalid YAML because the
extraKernelArgs list is not nested under its key. Update the talosctl markdown
snippet so the comments and both kernel argument entries are indented one level
deeper under extraKernelArgs, keeping grubUseUKICmdline in the same block and
preserving the example’s structure.
In `@content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md`:
- Around line 68-74: The Talos bootstrap YAML example has a malformed
`extraKernelArgs` block because the comment and both `kvm_intel.nested=0` /
`kvm_amd.nested=0` entries are not indented under `extraKernelArgs:`. Update the
`talos-bootstrap.md` snippet so the `extraKernelArgs` key in the bootstrap
example contains an indented list, keeping the comment and both list items
nested beneath it.
In `@content/en/docs/v1.4/install/kubernetes/talosctl.md`:
- Around line 88-94: The Talos install example has an invalid YAML structure
because the extraKernelArgs sequence items are not nested under the
extraKernelArgs key. Update the example in the talosctl install section so the
comment and both kernel args are indented one level deeper under
extraKernelArgs, keeping the surrounding grubUseUKICmdline setting unchanged.
In `@content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md`:
- Around line 68-74: The Talos bootstrap example has an invalid YAML structure
because the `extraKernelArgs` sequence items are not nested under the
`extraKernelArgs` key. Update the `talos-bootstrap.md` example so the comment
and both `kvm_intel.nested=0` and `kvm_amd.nested=0` entries are indented one
level under `extraKernelArgs`, keeping the surrounding `grubUseUKICmdline` block
in `talos-bootstrap` unchanged.
In `@content/en/docs/v1.5/install/kubernetes/talosctl.md`:
- Around line 88-94: The YAML example in talosctl.md has the extraKernelArgs
list at the wrong indentation level, making the patch invalid. Update the Talos
config snippet so the extraKernelArgs key in the affected block has its comment
and both kernel arguments nested one level deeper under it, keeping the
surrounding grubUseUKICmdline example unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 382f866a-9b3e-4ada-823c-5c6423541a60
📒 Files selected for processing (16)
content/en/docs/next/install/kubernetes/talos-bootstrap.mdcontent/en/docs/next/install/kubernetes/talosctl.mdcontent/en/docs/v0/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v0/install/kubernetes/talosctl.mdcontent/en/docs/v1.0/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.0/install/kubernetes/talosctl.mdcontent/en/docs/v1.1/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.1/install/kubernetes/talosctl.mdcontent/en/docs/v1.2/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.2/install/kubernetes/talosctl.mdcontent/en/docs/v1.3/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.3/install/kubernetes/talosctl.mdcontent/en/docs/v1.4/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.4/install/kubernetes/talosctl.mdcontent/en/docs/v1.5/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.5/install/kubernetes/talosctl.md
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
The list items are rendered at the same indentation level as extraKernelArgs:, so this patch example is not valid YAML as written. Please nest the comment and both kernel args one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/next/install/kubernetes/talosctl.md` around lines 88 - 94,
The Talos patch example has an invalid YAML structure because the
extraKernelArgs list is not nested under its key. Update the example in the
talosctl docs so extraKernelArgs and its commented kernel args are indented one
level deeper beneath grubUseUKICmdline, keeping the list items aligned under
extraKernelArgs for valid YAML.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
This block reads as if the sequence items are at the same level as extraKernelArgs:, which breaks the YAML example. Please indent the comment and both - kvm_* entries one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md` around lines 68 -
74, The Talos bootstrap YAML example has the extraKernelArgs list at the wrong
indentation level, so the sequence items are not nested under the key. Update
the talos-bootstrap.md example so extraKernelArgs: is followed by an indented
comment and both kvm_intel.nested=0 and kvm_amd.nested=0 entries one level
deeper, keeping the block aligned with the surrounding YAML structure.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
As written, the list items sit alongside extraKernelArgs: instead of nesting under it, so the example is not valid YAML. Please push the comment and both kernel args one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.3/install/kubernetes/talosctl.md` around lines 88 - 94,
The Talos install example has invalid YAML because the extraKernelArgs list is
not nested under its key. Update the talosctl markdown snippet so the comments
and both kernel argument entries are indented one level deeper under
extraKernelArgs, keeping grubUseUKICmdline in the same block and preserving the
example’s structure.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
The current indentation makes the list items look sibling-level to extraKernelArgs:, which breaks the YAML example. Please indent the comment and both - kvm_* entries one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md` around lines 68 -
74, The Talos bootstrap YAML example has a malformed `extraKernelArgs` block
because the comment and both `kvm_intel.nested=0` / `kvm_amd.nested=0` entries
are not indented under `extraKernelArgs:`. Update the `talos-bootstrap.md`
snippet so the `extraKernelArgs` key in the bootstrap example contains an
indented list, keeping the comment and both list items nested beneath it.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
The example needs the sequence items nested under extraKernelArgs:; otherwise it is invalid YAML for readers copying it into a patch file. Please indent the comment and both kernel args one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.4/install/kubernetes/talosctl.md` around lines 88 - 94,
The Talos install example has an invalid YAML structure because the
extraKernelArgs sequence items are not nested under the extraKernelArgs key.
Update the example in the talosctl install section so the comment and both
kernel args are indented one level deeper under extraKernelArgs, keeping the
surrounding grubUseUKICmdline setting unchanged.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
As rendered here, the sequence items are not nested under extraKernelArgs:, so the example will not parse as YAML. Please indent the comment and both - kvm_* entries one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md` around lines 68 -
74, The Talos bootstrap example has an invalid YAML structure because the
`extraKernelArgs` sequence items are not nested under the `extraKernelArgs` key.
Update the `talos-bootstrap.md` example so the comment and both
`kvm_intel.nested=0` and `kvm_amd.nested=0` entries are indented one level under
`extraKernelArgs`, keeping the surrounding `grubUseUKICmdline` block in
`talos-bootstrap` unchanged.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
The sequence items need to be nested under extraKernelArgs:; otherwise the patch example is invalid YAML. Please indent the comment and both kernel args one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.5/install/kubernetes/talosctl.md` around lines 88 - 94,
The YAML example in talosctl.md has the extraKernelArgs list at the wrong
indentation level, making the patch invalid. Update the Talos config snippet so
the extraKernelArgs key in the affected block has its comment and both kernel
arguments nested one level deeper under it, keeping the surrounding
grubUseUKICmdline example unchanged.
IvanHunters
left a comment
There was a problem hiding this comment.
The mitigation is missing on four docs versions that ship a Januscape-affected Talos kernel. The diff patches only next, v1.3, v1.4, v1.5, but these also target vulnerable kernels and are left unmitigated:
- v0 -> Talos v1.11.6
- v1.0 -> Talos v1.12.1
- v1.1 -> Talos v1.12.1
- v1.2 -> Talos v1.12.6
All predate the fixed kernel. The description says the change lands "across every docs version (next, v0, v1.0-v1.5)", which doesn't match the files touched.
Fix, minding per-version differences:
- v0 (Talos 1.11): add
extraKernelArgs: [kvm_intel.nested=0, kvm_amd.nested=0]only — 1.11 has nogrubUseUKICmdlinefield. - v1.0/v1.1/v1.2 (Talos 1.12): add
extraKernelArgs+grubUseUKICmdline: false, same as v1.3+.
Note the older docs hardcode the talos image tag, so the block can't be copied verbatim (the image line differs).
…-2026-53359) Add kvm_intel.nested=0 and kvm_amd.nested=0 to machine.install.extraKernelArgs in the Talos install machine-config examples across all docs versions, to mitigate CVE-2026-53359 (Januscape), a KVM guest-to-host escape reachable only when nested virtualization is exposed to the guest. Signed-off-by: Andrei Kvapil <kvapss@gmail.com> Assisted-By: Claude <noreply@anthropic.com>
… apply (CVE-2026-53359) extraKernelArgs is rejected/ignored under the UKI cmdline on Talos >=1.12; pin grubUseUKICmdline=false in the >=1.12 docs (next, v1.3-v1.5) so the mitigation actually takes effect. Signed-off-by: Andrei Kvapil <kvapss@gmail.com> Assisted-By: Claude <noreply@anthropic.com>
) On Talos <1.12 machine.install.extraKernelArgs is a no-op on UEFI/UKI nodes and grubUseUKICmdline does not exist to opt out, so the snippet did nothing on modern hardware. Remove it from the v0-v1.2 guides (Talos v1.10.3); ≥1.12 guides keep the working grubUseUKICmdline=false + extraKernelArgs form. Signed-off-by: Andrei Kvapil <kvapss@gmail.com> Assisted-By: Claude <noreply@anthropic.com>
…nstall guides The KVM nested-virtualization mitigation for CVE-2026-53359 ("Januscape") belongs in the Cozystack Talos image, not in every user's machine config. kvm_intel/kvm_amd are built into the kernel, so nested= is only settable on the kernel command line, and on UEFI/systemd-boot that command line is baked into the UKI — a machine-config extraKernelArgs override is silently ignored there. The image disables nested virtualization by default (baked into the boot assets at build time), which makes the config-side snippet both UEFI-ineffective and redundant. Drop the grubUseUKICmdline/extraKernelArgs snippet from the next, v1.3, v1.4 and v1.5 install guides and replace it with a note that the image disables nested virtualization by default, plus an honest pointer on re-enabling it (rebuild the image, since the setting lives in the boot assets). Assisted-By: Claude <noreply@anthropic.com> Signed-off-by: Aleksei Sviridkin <f@lex.la>
…ides The v0, v1.0, v1.1 and v1.2 install guides pin an older Cozystack Talos image (v1.10.3) that predates the CVE-2026-53359 ("Januscape") nested- virtualization mitigation and does not disable it. These Talos releases have no grubUseUKICmdline field, and machine.install.extraKernelArgs is a no-op on UEFI/systemd-boot (the command line is baked into the UKI), so an inline config snippet would silently fail on modern hardware. Add an honest note to each guide: the config-side override works only on BIOS/GRUB nodes, and for a reliable fix readers should follow the security advisory or upgrade to a current release whose Talos image disables nested virtualization by default. Assisted-By: Claude <noreply@anthropic.com> Signed-off-by: Aleksei Sviridkin <f@lex.la>
a593dc6 to
c589dd8
Compare
|
Good catch that the earlier diff left those versions unmitigated — but I've reworked the PR in the opposite direction, because the mitigation belongs in the image, not in every user's machine config.
Two corrections on the pins (install-page image tags, not kernel versions): v0, v1.0, v1.1 and v1.2 all hardcode Talos v1.10.3, not v1.11/v1.12 — and v1.10.3 has no Reworked treatment, per served version:
One release-side dependency: the notes on next/v1.3/v1.4/v1.5 are correct as long as this PR ships in the same release as the image bake (cozystack/cozystack#3240). Noted in the PR description. |
What this PR does
Reframes the CVE-2026-53359 ("Januscape") KVM nested-virtualization mitigation in the Talos install docs around the image, not a per-user machine-config snippet.
kvm_intel/kvm_amdare built into the Talos kernel, sonested=is only settable on the kernel command line. On UEFI/systemd-boot that command line is baked into the UKI, so a machine-configinstall.extraKernelArgsis silently ignored — the disable has to be baked into the boot assets at image build time. That is done in cozystack/cozystack#3240; these docs point at it instead of teaching a config-side edit that fails on UEFI and is redundant once the image carries the bake.Per served docs version:
version-pinshortcode. Removed thegrubUseUKICmdline+extraKernelArgssnippet and replaced it with a note that the Cozystack Talos image disables nested virtualization by default, plus how to re-enable (rebuild the image, since the setting lives in the boot assets).grubUseUKICmdlinefield. These don't claim the image handles it: an honest note that a config-side override works only on BIOS/GRUB and is ignored on UEFI/systemd-boot, pointing at the security advisory and recommending an upgrade.The original commits are preserved (rebased onto main); the rework is added on top.
Ship together with cozystack/cozystack#3240. The "image disables nested virt by default" note on the current versions is correct as long as this PR lands in the same release as the image bake.
Related PRs
Coordinated CVE-2026-53359 mitigation across Cozystack repos:
cozystack/genericpresetsScreenshots
N/A — no UI changes.
Release note