Skip to content

docs: point CVE-2026-53359 at the Talos v1.13.6 kernel fix#602

Open
Andrei Kvapil (kvaps) wants to merge 4 commits into
mainfrom
security/cve-2026-53359-disable-nested-virt
Open

docs: point CVE-2026-53359 at the Talos v1.13.6 kernel fix#602
Andrei Kvapil (kvaps) wants to merge 4 commits into
mainfrom
security/cve-2026-53359-disable-nested-virt

Conversation

@kvaps

@kvaps Andrei Kvapil (kvaps) commented Jul 7, 2026

Copy link
Copy Markdown
Member

What this PR does

Documents CVE-2026-53359 ("Januscape") and CVE-2026-46113 as what they are — related use-after-free bugs in the KVM x86 shadow MMU, fixed in the kernel — and points each docs version at the fix its Talos line can actually reach.

Talos v1.13.6 (Linux 6.18.38) is the first release carrying both upstream patches. Nested virtualization stays enabled: the kernel fix removes the bug, so there is no reason to take the feature away from workloads that depend on it.

Per served docs version, grouped by the Talos line the version installs from:

  • next, v1.4, v1.5 — install from the 1.13 line, so the fixed kernel is one image tag away. The note says to set the tag to v1.13.6 or newer, and that nested virtualization is unaffected.
  • v1.3 — installs Talos 1.12. No 1.12 release carries the CVE-2026-53359 fix: the newest, v1.12.9, ships Linux 6.18.35, and the fix landed in 6.18.38. The note says so and points at moving to a release on the 1.13 line.
  • v0, v1.0, v1.1, v1.2 — predate the 1.13 line. Every release of the 1.10, 1.11 and 1.12 lines is missing at least one of the two fixes, so the note names no single line: these pages hardcode a 1.10 image tag while the releases themselves install from a later one.

For readers on the versions without a fixed kernel, disabling KVM nested virtualization is still the one available mitigation, so the note keeps it — as a stop-gap, with the two very different ways it fails. On Talos 1.12 and newer a config carrying extraKernelArgs is rejected outright unless grubUseUKICmdline is also false, because talosctl gen config writes that field as true; Talos tells you what is wrong. On systemd-boot, which a fresh UEFI install of 1.10 or newer uses, the command line lives inside the Unified Kernel Image: the arguments are accepted and then silently ignored, and nothing reports it. On 1.10 and 1.11 the field does not exist and the arguments apply as written on a GRUB-booted node.

The security advisory these notes link to is updated in the same change. It previously said no fixed Talos release existed and recommended disabling nested virtualization; it now points at the kernel fix, keeps the mitigation only as a stop-gap for clusters that cannot upgrade, and tells readers on non-Talos hosts to take their distribution's kernel update.

Also fixes a rendering bug in the next install guides, where an alert body carried the enclosing list item's four-space indent and so rendered as an indented code block, displaying its own raw markup.

The ghcr.io/cozystack/cozystack/talos:v1.13.6 tag these notes point at is built by cozystack/cozystack#3240, which has landed.

Screenshots

N/A — no UI changes.

Release note

docs: document CVE-2026-53359 as fixed by the Talos v1.13.6 kernel rather than by disabling KVM nested virtualization, and state per docs version whether its Talos line carries the fix

@netlify

netlify Bot commented Jul 7, 2026

Copy link
Copy Markdown

Deploy Preview for cozystack ready!

Name Link
🔨 Latest commit 8a84587
🔍 Latest deploy log https://app.netlify.com/projects/cozystack/deploys/6a4fd2b93c03a80008f59551
😎 Deploy Preview https://deploy-preview-602--cozystack.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Talos install docs across versioned guides now add CVE-2026-53359 warnings, Talos v1.13.6+ fix references, and nested-virtualization guidance. The related security advisory page is updated to mark the issue fixed in Talos and to expand upgrade and mitigation instructions.

Changes

Talos install docs warning updates

Layer / File(s) Summary
next docs warning updates
content/en/docs/next/install/kubernetes/talos-bootstrap.md, content/en/docs/next/install/kubernetes/talosctl.md
Adds warning alerts describing Talos v1.13.6+ fixes, the CVE reference, and the nested-virtualization note.
early version docs warning updates
content/en/docs/v0/install/kubernetes/talos-bootstrap.md, content/en/docs/v0/install/kubernetes/talosctl.md, content/en/docs/v1.0/install/kubernetes/talos-bootstrap.md, content/en/docs/v1.0/install/kubernetes/talosctl.md, content/en/docs/v1.1/install/kubernetes/talos-bootstrap.md, content/en/docs/v1.1/install/kubernetes/talosctl.md
Adds warning alerts describing the CVE reference and the boot-mode-specific nested-virtualization guidance.
mid version docs warning updates
content/en/docs/v1.2/install/kubernetes/talos-bootstrap.md, content/en/docs/v1.2/install/kubernetes/talosctl.md, content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md, content/en/docs/v1.3/install/kubernetes/talosctl.md
Adds warning alerts describing the CVE reference, Talos v1.13.6+ fixes, and the boot-mode-specific handling of nested-virtualization settings.
late version docs warning updates
content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md, content/en/docs/v1.4/install/kubernetes/talosctl.md, content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md, content/en/docs/v1.5/install/kubernetes/talosctl.md
Adds warning alerts describing Talos v1.13.6+ fixes and nested virtualization remaining enabled.

Security advisory update

Layer / File(s) Summary
status and mitigation rewrite
content/en/blog/2026-07-07-security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/index.md
Updates the advisory description, adds a dated update, revises the severity/status text, and rewrites the mitigation section to prioritize upgrading Talos.
Talos config guidance
content/en/blog/2026-07-07-security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/index.md
Expands the Talos machine-config nested-virtualization instructions with grubUseUKICmdline and extraKernelArgs behavior, boot-mode caveats, and /proc/cmdline verification guidance.
non-Talos host formatting
content/en/blog/2026-07-07-security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/index.md
Adjusts the generic Linux host nested-virtualization mitigation block formatting while preserving the same module options and reboot or reload requirement.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Possibly related PRs

Suggested reviewers: lllamnyp, IvanHunters

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly reflects the main documentation update: CVE-2026-53359 is now tied to the Talos v1.13.6 fix.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch security/cve-2026-53359-disable-nested-virt

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the Talos installation documentation across multiple versions to add kernel arguments (kvm_intel.nested=0 and kvm_amd.nested=0) to mitigate CVE-2026-53359 by disabling KVM nested virtualization. The review feedback points out that on UEFI-booted systems using Talos 1.10+, these extraKernelArgs are silently ignored due to the use of Unified Kernel Images (UKIs). It is recommended to add a warning note in the documentation advising users to bake these arguments into the boot assets using the Image Factory or Imager instead.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines +68 to +71
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

Starting with Talos 1.10, fresh installations on UEFI systems use systemd-boot and Unified Kernel Images (UKIs). On these systems, the .machine.install.extraKernelArgs field in the machine configuration is completely ignored because kernel arguments are embedded directly within the UKI.

Since all documentation versions from v0 (using Talos v1.10.3) to next (using Talos v1.13.0) target Talos 1.10+, this mitigation will be silently ignored on any UEFI-booted nodes, leaving them vulnerable to CVE-2026-53359.

To ensure users are actually protected, please add a warning note in the documentation explaining that on UEFI-booted systems, these kernel arguments must be baked into the boot assets using the Image Factory or Imager (via customization schematics) instead of relying on extraKernelArgs in the machine configuration.

Suggested change
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
# Note: This is ignored on UEFI systems using Talos 1.10+ (use Image Factory instead)
- kvm_intel.nested=0
- kvm_amd.nested=0

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@content/en/docs/next/install/kubernetes/talosctl.md`:
- Around line 88-94: The Talos patch example has an invalid YAML structure
because the extraKernelArgs list is not nested under its key. Update the example
in the talosctl docs so extraKernelArgs and its commented kernel args are
indented one level deeper beneath grubUseUKICmdline, keeping the list items
aligned under extraKernelArgs for valid YAML.

In `@content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md`:
- Around line 68-74: The Talos bootstrap YAML example has the extraKernelArgs
list at the wrong indentation level, so the sequence items are not nested under
the key. Update the talos-bootstrap.md example so extraKernelArgs: is followed
by an indented comment and both kvm_intel.nested=0 and kvm_amd.nested=0 entries
one level deeper, keeping the block aligned with the surrounding YAML structure.

In `@content/en/docs/v1.3/install/kubernetes/talosctl.md`:
- Around line 88-94: The Talos install example has invalid YAML because the
extraKernelArgs list is not nested under its key. Update the talosctl markdown
snippet so the comments and both kernel argument entries are indented one level
deeper under extraKernelArgs, keeping grubUseUKICmdline in the same block and
preserving the example’s structure.

In `@content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md`:
- Around line 68-74: The Talos bootstrap YAML example has a malformed
`extraKernelArgs` block because the comment and both `kvm_intel.nested=0` /
`kvm_amd.nested=0` entries are not indented under `extraKernelArgs:`. Update the
`talos-bootstrap.md` snippet so the `extraKernelArgs` key in the bootstrap
example contains an indented list, keeping the comment and both list items
nested beneath it.

In `@content/en/docs/v1.4/install/kubernetes/talosctl.md`:
- Around line 88-94: The Talos install example has an invalid YAML structure
because the extraKernelArgs sequence items are not nested under the
extraKernelArgs key. Update the example in the talosctl install section so the
comment and both kernel args are indented one level deeper under
extraKernelArgs, keeping the surrounding grubUseUKICmdline setting unchanged.

In `@content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md`:
- Around line 68-74: The Talos bootstrap example has an invalid YAML structure
because the `extraKernelArgs` sequence items are not nested under the
`extraKernelArgs` key. Update the `talos-bootstrap.md` example so the comment
and both `kvm_intel.nested=0` and `kvm_amd.nested=0` entries are indented one
level under `extraKernelArgs`, keeping the surrounding `grubUseUKICmdline` block
in `talos-bootstrap` unchanged.

In `@content/en/docs/v1.5/install/kubernetes/talosctl.md`:
- Around line 88-94: The YAML example in talosctl.md has the extraKernelArgs
list at the wrong indentation level, making the patch invalid. Update the Talos
config snippet so the extraKernelArgs key in the affected block has its comment
and both kernel arguments nested one level deeper under it, keeping the
surrounding grubUseUKICmdline example unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 382f866a-9b3e-4ada-823c-5c6423541a60

📥 Commits

Reviewing files that changed from the base of the PR and between f5e48b1 and 642dbb2.

📒 Files selected for processing (16)
  • content/en/docs/next/install/kubernetes/talos-bootstrap.md
  • content/en/docs/next/install/kubernetes/talosctl.md
  • content/en/docs/v0/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v0/install/kubernetes/talosctl.md
  • content/en/docs/v1.0/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.0/install/kubernetes/talosctl.md
  • content/en/docs/v1.1/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.1/install/kubernetes/talosctl.md
  • content/en/docs/v1.2/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.2/install/kubernetes/talosctl.md
  • content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.3/install/kubernetes/talosctl.md
  • content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.4/install/kubernetes/talosctl.md
  • content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.5/install/kubernetes/talosctl.md

Comment on lines +88 to +94
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

The list items are rendered at the same indentation level as extraKernelArgs:, so this patch example is not valid YAML as written. Please nest the comment and both kernel args one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/next/install/kubernetes/talosctl.md` around lines 88 - 94,
The Talos patch example has an invalid YAML structure because the
extraKernelArgs list is not nested under its key. Update the example in the
talosctl docs so extraKernelArgs and its commented kernel args are indented one
level deeper beneath grubUseUKICmdline, keeping the list items aligned under
extraKernelArgs for valid YAML.

Comment on lines +68 to +74
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

This block reads as if the sequence items are at the same level as extraKernelArgs:, which breaks the YAML example. Please indent the comment and both - kvm_* entries one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md` around lines 68 -
74, The Talos bootstrap YAML example has the extraKernelArgs list at the wrong
indentation level, so the sequence items are not nested under the key. Update
the talos-bootstrap.md example so extraKernelArgs: is followed by an indented
comment and both kvm_intel.nested=0 and kvm_amd.nested=0 entries one level
deeper, keeping the block aligned with the surrounding YAML structure.

Comment on lines +88 to +94
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

As written, the list items sit alongside extraKernelArgs: instead of nesting under it, so the example is not valid YAML. Please push the comment and both kernel args one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.3/install/kubernetes/talosctl.md` around lines 88 - 94,
The Talos install example has invalid YAML because the extraKernelArgs list is
not nested under its key. Update the talosctl markdown snippet so the comments
and both kernel argument entries are indented one level deeper under
extraKernelArgs, keeping grubUseUKICmdline in the same block and preserving the
example’s structure.

Comment on lines +68 to +74
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

The current indentation makes the list items look sibling-level to extraKernelArgs:, which breaks the YAML example. Please indent the comment and both - kvm_* entries one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md` around lines 68 -
74, The Talos bootstrap YAML example has a malformed `extraKernelArgs` block
because the comment and both `kvm_intel.nested=0` / `kvm_amd.nested=0` entries
are not indented under `extraKernelArgs:`. Update the `talos-bootstrap.md`
snippet so the `extraKernelArgs` key in the bootstrap example contains an
indented list, keeping the comment and both list items nested beneath it.

Comment on lines +88 to +94
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

The example needs the sequence items nested under extraKernelArgs:; otherwise it is invalid YAML for readers copying it into a patch file. Please indent the comment and both kernel args one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.4/install/kubernetes/talosctl.md` around lines 88 - 94,
The Talos install example has an invalid YAML structure because the
extraKernelArgs sequence items are not nested under the extraKernelArgs key.
Update the example in the talosctl install section so the comment and both
kernel args are indented one level deeper under extraKernelArgs, keeping the
surrounding grubUseUKICmdline setting unchanged.

Comment on lines +68 to +74
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

As rendered here, the sequence items are not nested under extraKernelArgs:, so the example will not parse as YAML. Please indent the comment and both - kvm_* entries one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md` around lines 68 -
74, The Talos bootstrap example has an invalid YAML structure because the
`extraKernelArgs` sequence items are not nested under the `extraKernelArgs` key.
Update the `talos-bootstrap.md` example so the comment and both
`kvm_intel.nested=0` and `kvm_amd.nested=0` entries are indented one level under
`extraKernelArgs`, keeping the surrounding `grubUseUKICmdline` block in
`talos-bootstrap` unchanged.

Comment on lines +88 to +94
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

The sequence items need to be nested under extraKernelArgs:; otherwise the patch example is invalid YAML. Please indent the comment and both kernel args one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.5/install/kubernetes/talosctl.md` around lines 88 - 94,
The YAML example in talosctl.md has the extraKernelArgs list at the wrong
indentation level, making the patch invalid. Update the Talos config snippet so
the extraKernelArgs key in the affected block has its comment and both kernel
arguments nested one level deeper under it, keeping the surrounding
grubUseUKICmdline example unchanged.

@IvanHunters IvanHunters left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The mitigation is missing on four docs versions that ship a Januscape-affected Talos kernel. The diff patches only next, v1.3, v1.4, v1.5, but these also target vulnerable kernels and are left unmitigated:

  • v0 -> Talos v1.11.6
  • v1.0 -> Talos v1.12.1
  • v1.1 -> Talos v1.12.1
  • v1.2 -> Talos v1.12.6

All predate the fixed kernel. The description says the change lands "across every docs version (next, v0, v1.0-v1.5)", which doesn't match the files touched.

Fix, minding per-version differences:

  • v0 (Talos 1.11): add extraKernelArgs: [kvm_intel.nested=0, kvm_amd.nested=0] only — 1.11 has no grubUseUKICmdline field.
  • v1.0/v1.1/v1.2 (Talos 1.12): add extraKernelArgs + grubUseUKICmdline: false, same as v1.3+.

Note the older docs hardcode the talos image tag, so the block can't be copied verbatim (the image line differs).

@lexfrei Aleksei Sviridkin (lexfrei) force-pushed the security/cve-2026-53359-disable-nested-virt branch from a593dc6 to c589dd8 Compare July 8, 2026 14:32
@lexfrei

Copy link
Copy Markdown
Contributor

Good catch that the earlier diff left those versions unmitigated — but I've reworked the PR in the opposite direction, because the mitigation belongs in the image, not in every user's machine config.

kvm_intel/kvm_amd are built into the Talos kernel, so nested= is only settable on the kernel command line, and on UEFI/systemd-boot that command line is baked into the UKI — a machine.install.extraKernelArgs override is silently ignored there. So the snippet these docs taught didn't actually work on UEFI, and once the image carries the disable (cozystack/cozystack#3240) it's redundant too. Spreading it across more versions would propagate a fix that fails on modern hardware.

Two corrections on the pins (install-page image tags, not kernel versions): v0, v1.0, v1.1 and v1.2 all hardcode Talos v1.10.3, not v1.11/v1.12 — and v1.10.3 has no grubUseUKICmdline field, so the ≥1.12 form couldn't apply there anyway. next/v1.3/v1.4/v1.5 pin Talos through the version-pin shortcode.

Reworked treatment, per served version:

  • next, v1.3, v1.4, v1.5 — dropped the snippet, added a note that the Cozystack Talos image disables nested virtualization by default, plus how to re-enable (rebuild the image, since the setting lives in the boot assets).
  • v0, v1.0, v1.1, v1.2 (Talos v1.10.3, pre-#3240) — an honest note that a config-side override works only on BIOS/GRUB, is ignored on UEFI/systemd-boot, pointing at the security advisory and recommending an upgrade.

One release-side dependency: the notes on next/v1.3/v1.4/v1.5 are correct as long as this PR ships in the same release as the image bake (cozystack/cozystack#3240). Noted in the PR description.

Hugo renders the inner text of a {{% alert %}} shortcode as markdown on its
own. Inside an ordered-list item the body carried the item's four-space
content indent, which markdown reads as an indented code block, so the alert
displayed its own raw markup instead of the note.

Flush the body to column zero and leave only the shortcode tags indented, so
the alert still belongs to the list item and the surrounding list is not split
in two.

Signed-off-by: Aleksei Sviridkin <f@lex.la>
@lexfrei Aleksei Sviridkin (lexfrei) force-pushed the security/cve-2026-53359-disable-nested-virt branch from c589dd8 to 080c20c Compare July 9, 2026 12:55
CVE-2026-53359 ("Januscape") and CVE-2026-46113 are related use-after-free
bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. The
complete fix needs both upstream patches, which first meet in Linux 6.18.38 and
so in Talos v1.13.6.

These docs versions install Talos from the 1.13 line, so moving the image tag
reaches the fixed kernel. Say that, and say that nested virtualization stays
enabled: the kernel fix removes the bug itself, so there is no reason to take
the feature away from workloads that depend on it.

Signed-off-by: Aleksei Sviridkin <f@lex.la>
@lexfrei Aleksei Sviridkin (lexfrei) force-pushed the security/cve-2026-53359-disable-nested-virt branch 3 times, most recently from 0557399 to fc8d240 Compare July 9, 2026 13:14

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@content/en/docs/next/install/kubernetes/talos-bootstrap.md`:
- Around line 105-107: The Talos security alert in the bootstrap docs still
implies nested virtualization remains enabled, but it should instead explain the
Cozystack Talos image default-disablement and the rebuild/re-enable path. Update
the alert text in the Talos bootstrap section to clearly state the default is
disabled, and mention that users must rebuild or re-enable nested virtualization
if their workloads require it; keep the focus on the Talos version guidance and
mitigation wording around the alert block.

In `@content/en/docs/next/install/kubernetes/talosctl.md`:
- Around line 129-131: The Talos security alert text is misleading about nested
virtualization, since it currently implies it remains enabled by default. Reword
the alert in talosctl.md to clearly state the Cozystack Talos image
default-disables nested virtualization, and mention the rebuild/re-enable path
so readers understand how to restore it if needed; update the wording in the
alert block that mentions CVE-2026-53359 and Talos v1.13.6.

In `@content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md`:
- Around line 105-107: The Talos security alert still describes nested
virtualization as staying enabled, which misses the intended mitigation
guidance. Reword the alert in talos-bootstrap.md near the CVE-2026-53359 note to
clearly state that the Cozystack Talos image disables nested virtualization by
default, and that users must rebuild or re-enable it if their workloads require
nested virtualization; keep the CVE and version-upgrade guidance but remove the
“stays enabled” wording.

In `@content/en/docs/v1.4/install/kubernetes/talosctl.md`:
- Around line 129-131: The Talos security alert text is missing the intended
note about Cozystack’s nested-virtualization default being disabled and how to
rebuild/re-enable it. Update the alert content in the talosctl docs to clearly
state the default-disablement and the mitigation/rebuild path, and adjust the
wording around nested virtualization so readers do not infer it remains enabled
by default. Keep the reference to the Talos v1.13.6 fix, but rewrite the final
sentence to match the Cozystack image behavior and recovery steps.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d0c3ea3b-5e94-46e8-9e11-3261271a50e4

📥 Commits

Reviewing files that changed from the base of the PR and between c589dd8 and 0557399.

📒 Files selected for processing (16)
  • content/en/docs/next/install/kubernetes/talos-bootstrap.md
  • content/en/docs/next/install/kubernetes/talosctl.md
  • content/en/docs/v0/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v0/install/kubernetes/talosctl.md
  • content/en/docs/v1.0/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.0/install/kubernetes/talosctl.md
  • content/en/docs/v1.1/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.1/install/kubernetes/talosctl.md
  • content/en/docs/v1.2/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.2/install/kubernetes/talosctl.md
  • content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.3/install/kubernetes/talosctl.md
  • content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.4/install/kubernetes/talosctl.md
  • content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.5/install/kubernetes/talosctl.md
✅ Files skipped from review due to trivial changes (8)
  • content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.3/install/kubernetes/talosctl.md
  • content/en/docs/v1.0/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.1/install/kubernetes/talosctl.md
  • content/en/docs/v1.5/install/kubernetes/talosctl.md
  • content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.2/install/kubernetes/talosctl.md
  • content/en/docs/v0/install/kubernetes/talosctl.md
🚧 Files skipped from review as they are similar to previous changes (4)
  • content/en/docs/v1.2/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.1/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.0/install/kubernetes/talosctl.md
  • content/en/docs/v0/install/kubernetes/talos-bootstrap.md

Comment on lines +105 to +107
{{% alert title="Update Talos to v1.13.6 or newer (CVE-2026-53359)" color="warning" %}}
[CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both are fixed in the kernel, and Talos v1.13.6 is the first release that carries both fixes — it ships Linux 6.18.38. If the image tag above resolves to an earlier release, set it to `v1.13.6` or newer. Nested virtualization stays enabled: the kernel fix removes the bug itself, so workloads that rely on nested virtualization keep working.
{{% /alert %}}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Clarify the nested-virtualization default.

This alert still says nested virtualization stays enabled and that dependent workloads keep working, but the PR intent is to document the Cozystack Talos image default-disablement and the rebuild/re-enable path. Please reword it so readers don't miss the mitigation.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/next/install/kubernetes/talos-bootstrap.md` around lines 105
- 107, The Talos security alert in the bootstrap docs still implies nested
virtualization remains enabled, but it should instead explain the Cozystack
Talos image default-disablement and the rebuild/re-enable path. Update the alert
text in the Talos bootstrap section to clearly state the default is disabled,
and mention that users must rebuild or re-enable nested virtualization if their
workloads require it; keep the focus on the Talos version guidance and
mitigation wording around the alert block.

Comment on lines +129 to +131
{{% alert title="Update Talos to v1.13.6 or newer (CVE-2026-53359)" color="warning" %}}
[CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both are fixed in the kernel, and Talos v1.13.6 is the first release that carries both fixes — it ships Linux 6.18.38. If the image tag above resolves to an earlier release, set it to `v1.13.6` or newer. Nested virtualization stays enabled: the kernel fix removes the bug itself, so workloads that rely on nested virtualization keep working.
{{% /alert %}}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Clarify the nested-virtualization default.

This alert still says nested virtualization stays enabled and that dependent workloads keep working, but the PR intent is to document the Cozystack Talos image default-disablement and the rebuild/re-enable path. Please reword it so readers don't miss the mitigation.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/next/install/kubernetes/talosctl.md` around lines 129 - 131,
The Talos security alert text is misleading about nested virtualization, since
it currently implies it remains enabled by default. Reword the alert in
talosctl.md to clearly state the Cozystack Talos image default-disables nested
virtualization, and mention the rebuild/re-enable path so readers understand how
to restore it if needed; update the wording in the alert block that mentions
CVE-2026-53359 and Talos v1.13.6.

Comment on lines +105 to +107
{{% alert title="Update Talos to v1.13.6 or newer (CVE-2026-53359)" color="warning" %}}
[CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both are fixed in the kernel, and Talos v1.13.6 is the first release that carries both fixes — it ships Linux 6.18.38. If the image tag above resolves to an earlier release, set it to `v1.13.6` or newer. Nested virtualization stays enabled: the kernel fix removes the bug itself, so workloads that rely on nested virtualization keep working.
{{% /alert %}}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Clarify the nested-virtualization default.

This alert still says nested virtualization stays enabled and that dependent workloads keep working, but the PR intent is to document the Cozystack Talos image default-disablement and the rebuild/re-enable path. Please reword it so readers don't miss the mitigation.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md` around lines 105
- 107, The Talos security alert still describes nested virtualization as staying
enabled, which misses the intended mitigation guidance. Reword the alert in
talos-bootstrap.md near the CVE-2026-53359 note to clearly state that the
Cozystack Talos image disables nested virtualization by default, and that users
must rebuild or re-enable it if their workloads require nested virtualization;
keep the CVE and version-upgrade guidance but remove the “stays enabled”
wording.

Comment on lines +129 to +131
{{% alert title="Update Talos to v1.13.6 or newer (CVE-2026-53359)" color="warning" %}}
[CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both are fixed in the kernel, and Talos v1.13.6 is the first release that carries both fixes — it ships Linux 6.18.38. If the image tag above resolves to an earlier release, set it to `v1.13.6` or newer. Nested virtualization stays enabled: the kernel fix removes the bug itself, so workloads that rely on nested virtualization keep working.
{{% /alert %}}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Clarify the nested-virtualization default.

This alert still says nested virtualization stays enabled and that dependent workloads keep working, but the PR intent is to document the Cozystack Talos image default-disablement and the rebuild/re-enable path. Please reword it so readers don't miss the mitigation.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.4/install/kubernetes/talosctl.md` around lines 129 - 131,
The Talos security alert text is missing the intended note about Cozystack’s
nested-virtualization default being disabled and how to rebuild/re-enable it.
Update the alert content in the talosctl docs to clearly state the
default-disablement and the mitigation/rebuild path, and adjust the wording
around nested virtualization so readers do not infer it remains enabled by
default. Keep the reference to the Talos v1.13.6 fix, but rewrite the final
sentence to match the Cozystack image behavior and recovery steps.

…l fix

Talos v1.13.6 is the first release carrying both kernel fixes. These docs
versions install from the 1.10, 1.11 or 1.12 lines, whose newest releases ship
Linux 6.12.63, 6.12.62 and 6.18.35, while the fixes landed in 6.12.95 and
6.18.38. Say so, and name the only complete answer: move to a release that
installs from the 1.13 line, then pin the image tag at v1.13.6 or newer.

The pre-1.13 pages hardcode a 1.10 image tag while the release itself installs
from a later line, so their note names no single line.

For readers who cannot upgrade, disabling KVM nested virtualization is still
the one available mitigation, so keep it, and separate the ways it goes wrong,
because they do not fail alike. On Talos 1.12 and newer a config carrying
install.extraKernelArgs is rejected outright unless install.grubUseUKICmdline
is false, and talosctl gen config writes that field as true -- Talos says so.
On systemd-boot, which a fresh UEFI install of Talos 1.10 or newer uses, the
kernel command line lives inside the UKI, and the arguments are accepted and
then ignored with nothing reported at all. Point the reader at /proc/cmdline
rather than at an assumption.

Signed-off-by: Aleksei Sviridkin <f@lex.la>
@lexfrei Aleksei Sviridkin (lexfrei) force-pushed the security/cve-2026-53359-disable-nested-virt branch from fc8d240 to ebd8f09 Compare July 9, 2026 13:17
Talos v1.13.6 shipped on 2026-07-09 with Linux 6.18.38, the first kernel
carrying the fixes for both CVE-2026-53359 and its sibling CVE-2026-46113. The
advisory was written while no fixed Talos release existed, so it recommended
disabling KVM nested virtualization and stated that Cozystack VMs do not need
the feature. Both claims are now wrong: the bug is fixed in the kernel, and
taking nested virtualization away from workloads that rely on it buys nothing.

Lead with an update note, so a reader who acted on the first version learns the
recommendation changed rather than finding a silently rewritten page. Say which
Talos lines carry the fix and which never will, recommend the upgrade, and keep
disabling nested virtualization only as a stop-gap for clusters that cannot
upgrade yet. Non-Talos hosts get a fix path too -- their distribution's kernel
update -- named without a version, because which stable series carry both
patches has not been established here and a security advisory is no place to
guess.

Correct the stop-gap's caveats, which conflated two unlike failures. Omitting
grubUseUKICmdline: false on Talos 1.12 and newer does not quietly drop the
kernel arguments -- Talos rejects the config outright, and says so. The quiet
failure is systemd-boot, where the command line lives inside the UKI and the
arguments are accepted and then ignored with nothing reported; point the reader
at /proc/cmdline instead of at an assumption.

Drop the automation section: it advertised skills that prescribe and verify a
mitigation this advisory no longer recommends.

Signed-off-by: Aleksei Sviridkin <f@lex.la>
@lexfrei Aleksei Sviridkin (lexfrei) force-pushed the security/cve-2026-53359-disable-nested-virt branch from 3cce676 to 8a84587 Compare July 9, 2026 16:56

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md`:
- Around line 105-108: Replace the current Talos node-level workaround in
talos-bootstrap.md with the image-level mitigation for v1.3+: update the note to
point readers at the Cozystack Talos image default-disable approach and rebuild
flow instead of `machine.install.extraKernelArgs` /
`machine.install.grubUseUKICmdline`. Keep the guidance aligned with the existing
Talos/Cozystack release language in this section, and remove the stale per-node
boot-argument instructions from this note.

In `@content/en/docs/v1.3/install/kubernetes/talosctl.md`:
- Around line 129-132: Replace the current Talos 1.12 per-node kernel-args
workaround in the advisory note with the image-level mitigation for v1.3+:
update the warning text in talosctl.md to describe disabling the risky behavior
in the Cozystack Talos image default and rebuilding the image instead of using
machine.install.extraKernelArgs or machine.install.grubUseUKICmdline. Keep the
focus on the image flow and remove the stale node-level guidance so readers are
directed to the correct Talos image/tag-based fix.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 93e7bed0-93a2-4c48-a1cf-9cacbcc5bbff

📥 Commits

Reviewing files that changed from the base of the PR and between 0557399 and 3cce676.

📒 Files selected for processing (11)
  • content/en/blog/2026-07-07-security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/index.md
  • content/en/docs/v0/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v0/install/kubernetes/talosctl.md
  • content/en/docs/v1.0/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.0/install/kubernetes/talosctl.md
  • content/en/docs/v1.1/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.1/install/kubernetes/talosctl.md
  • content/en/docs/v1.2/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.2/install/kubernetes/talosctl.md
  • content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.3/install/kubernetes/talosctl.md

Comment on lines +105 to +108
{{% alert title="No Talos 1.12 release fixes CVE-2026-53359" color="warning" %}}
[CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both fixes live in the kernel, and no Talos 1.12 release carries the one for CVE-2026-53359: the newest, v1.12.9, ships Linux 6.18.35, while that fix landed in 6.18.38. The complete fix is Talos v1.13.6 or newer: upgrade to a Cozystack release that installs from the Talos 1.13 line, then set the Talos image tag to `v1.13.6` or newer.

If you cannot upgrade and you run untrusted guests, disabling KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) removes the entry point the published exploit relies on. Treat it as a stop-gap rather than a fix, and mind where it applies. On Talos 1.12 and newer, `machine.install.extraKernelArgs` also needs `machine.install.grubUseUKICmdline: false` next to it: `talosctl gen config` writes that field as `true`, and Talos rejects a config carrying both with `install.extraKernelArgs and install.grubUseUKICmdline can't be used together`. On Talos 1.10 and 1.11 the field does not exist and is not needed. That rejection is loud; the remaining failure is not. Even once the config is accepted, the arguments only reach a GRUB-booted node: a fresh UEFI install of Talos 1.10 or newer boots through systemd-boot, where the kernel command line lives inside the Unified Kernel Image, and there Talos takes the arguments without complaint and ignores them. On those nodes the arguments have to be baked into the boot assets with [Image Factory or Imager](https://www.talos.dev/v1.12/talos-guides/install/boot-assets/). Either way, check `/proc/cmdline` on the node afterwards rather than assuming the mitigation took.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Switch this note to the image-level mitigation.

This still documents the per-node extraKernelArgs/grubUseUKICmdline workaround, but the PR objective for v1.3+ is to replace that path with the Cozystack Talos image default-disable note and the rebuild flow. Leaving the old workaround here will keep sending readers to stale instructions.

Suggested rewrite
-If you cannot upgrade and you run untrusted guests, disabling KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) removes the entry point the published exploit relies on. Treat it as a stop-gap rather than a fix, and mind where it applies. On Talos 1.12 and newer, `machine.install.extraKernelArgs` also needs `machine.install.grubUseUKICmdline: false` next to it: `talosctl gen config` writes that field as `true`, and Talos rejects a config carrying both with `install.extraKernelArgs and install.grubUseUKICmdline can't be used together`. On Talos 1.10 and 1.11 the field does not exist and is not needed. That rejection is loud; the remaining failure is not. Even once the config is accepted, the arguments only reach a GRUB-booted node: a fresh UEFI install of Talos 1.10 or newer boots through systemd-boot, where the kernel command line lives inside the Unified Kernel Image, and there Talos takes the arguments without complaint and ignores them. On those nodes the arguments have to be baked into the boot assets with [Image Factory or Imager](https://www.talos.dev/v1.12/talos-guides/install/boot-assets/). Either way, check `/proc/cmdline` on the node afterwards rather than assuming the mitigation took.
+The Cozystack Talos image in this release line disables nested virtualization by default. If you need to re-enable it, rebuild the image with the desired kernel arguments baked into the boot assets and verify `/proc/cmdline`.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
{{% alert title="No Talos 1.12 release fixes CVE-2026-53359" color="warning" %}}
[CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both fixes live in the kernel, and no Talos 1.12 release carries the one for CVE-2026-53359: the newest, v1.12.9, ships Linux 6.18.35, while that fix landed in 6.18.38. The complete fix is Talos v1.13.6 or newer: upgrade to a Cozystack release that installs from the Talos 1.13 line, then set the Talos image tag to `v1.13.6` or newer.
If you cannot upgrade and you run untrusted guests, disabling KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) removes the entry point the published exploit relies on. Treat it as a stop-gap rather than a fix, and mind where it applies. On Talos 1.12 and newer, `machine.install.extraKernelArgs` also needs `machine.install.grubUseUKICmdline: false` next to it: `talosctl gen config` writes that field as `true`, and Talos rejects a config carrying both with `install.extraKernelArgs and install.grubUseUKICmdline can't be used together`. On Talos 1.10 and 1.11 the field does not exist and is not needed. That rejection is loud; the remaining failure is not. Even once the config is accepted, the arguments only reach a GRUB-booted node: a fresh UEFI install of Talos 1.10 or newer boots through systemd-boot, where the kernel command line lives inside the Unified Kernel Image, and there Talos takes the arguments without complaint and ignores them. On those nodes the arguments have to be baked into the boot assets with [Image Factory or Imager](https://www.talos.dev/v1.12/talos-guides/install/boot-assets/). Either way, check `/proc/cmdline` on the node afterwards rather than assuming the mitigation took.
{{% alert title="No Talos 1.12 release fixes CVE-2026-53359" color="warning" %}}
[CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both fixes live in the kernel, and no Talos 1.12 release carries the one for CVE-2026-53359: the newest, v1.12.9, ships Linux 6.18.35, while that fix landed in 6.18.38. The complete fix is Talos v1.13.6 or newer: upgrade to a Cozystack release that installs from the Talos 1.13 line, then set the Talos image tag to `v1.13.6` or newer.
The Cozystack Talos image in this release line disables nested virtualization by default. If you need to re-enable it, rebuild the image with the desired kernel arguments baked into the boot assets and verify `/proc/cmdline`.
🧰 Tools
🪛 LanguageTool

[locale-violation] ~108-~108: In American English, ‘afterward’ is the preferred variant. ‘Afterwards’ is more commonly used in British English and other dialects.
Context: ... way, check /proc/cmdline on the node afterwards rather than assuming the mitigation too...

(AFTERWARDS_US)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md` around lines 105
- 108, Replace the current Talos node-level workaround in talos-bootstrap.md
with the image-level mitigation for v1.3+: update the note to point readers at
the Cozystack Talos image default-disable approach and rebuild flow instead of
`machine.install.extraKernelArgs` / `machine.install.grubUseUKICmdline`. Keep
the guidance aligned with the existing Talos/Cozystack release language in this
section, and remove the stale per-node boot-argument instructions from this
note.

Comment on lines +129 to +132
{{% alert title="No Talos 1.12 release fixes CVE-2026-53359" color="warning" %}}
[CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both fixes live in the kernel, and no Talos 1.12 release carries the one for CVE-2026-53359: the newest, v1.12.9, ships Linux 6.18.35, while that fix landed in 6.18.38. The complete fix is Talos v1.13.6 or newer: upgrade to a Cozystack release that installs from the Talos 1.13 line, then set the Talos image tag to `v1.13.6` or newer.

If you cannot upgrade and you run untrusted guests, disabling KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) removes the entry point the published exploit relies on. Treat it as a stop-gap rather than a fix, and mind where it applies. On Talos 1.12 and newer, `machine.install.extraKernelArgs` also needs `machine.install.grubUseUKICmdline: false` next to it: `talosctl gen config` writes that field as `true`, and Talos rejects a config carrying both with `install.extraKernelArgs and install.grubUseUKICmdline can't be used together`. On Talos 1.10 and 1.11 the field does not exist and is not needed. That rejection is loud; the remaining failure is not. Even once the config is accepted, the arguments only reach a GRUB-booted node: a fresh UEFI install of Talos 1.10 or newer boots through systemd-boot, where the kernel command line lives inside the Unified Kernel Image, and there Talos takes the arguments without complaint and ignores them. On those nodes the arguments have to be baked into the boot assets with [Image Factory or Imager](https://www.talos.dev/v1.12/talos-guides/install/boot-assets/). Either way, check `/proc/cmdline` on the node afterwards rather than assuming the mitigation took.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Switch this note to the image-level mitigation.

This still documents the per-node extraKernelArgs/grubUseUKICmdline workaround, but the PR objective for v1.3+ is to replace that path with the Cozystack Talos image default-disable note and the rebuild flow. Leaving the old workaround here will keep sending readers to stale instructions.

Suggested rewrite
-If you cannot upgrade and you run untrusted guests, disabling KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) removes the entry point the published exploit relies on. Treat it as a stop-gap rather than a fix, and mind where it applies. On Talos 1.12 and newer, `machine.install.extraKernelArgs` also needs `machine.install.grubUseUKICmdline: false` next to it: `talosctl gen config` writes that field as `true`, and Talos rejects a config carrying both with `install.extraKernelArgs and install.grubUseUKICmdline can't be used together`. On Talos 1.10 and 1.11 the field does not exist and is not needed. That rejection is loud; the remaining failure is not. Even once the config is accepted, the arguments only reach a GRUB-booted node: a fresh UEFI install of Talos 1.10 or newer boots through systemd-boot, where the kernel command line lives inside the Unified Kernel Image, and there Talos takes the arguments without complaint and ignores them. On those nodes the arguments have to be baked into the boot assets with [Image Factory or Imager](https://www.talos.dev/v1.12/talos-guides/install/boot-assets/). Either way, check `/proc/cmdline` on the node afterwards rather than assuming the mitigation took.
+The Cozystack Talos image in this release line disables nested virtualization by default. If you need to re-enable it, rebuild the image with the desired kernel arguments baked into the boot assets and verify `/proc/cmdline`.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
{{% alert title="No Talos 1.12 release fixes CVE-2026-53359" color="warning" %}}
[CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both fixes live in the kernel, and no Talos 1.12 release carries the one for CVE-2026-53359: the newest, v1.12.9, ships Linux 6.18.35, while that fix landed in 6.18.38. The complete fix is Talos v1.13.6 or newer: upgrade to a Cozystack release that installs from the Talos 1.13 line, then set the Talos image tag to `v1.13.6` or newer.
If you cannot upgrade and you run untrusted guests, disabling KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) removes the entry point the published exploit relies on. Treat it as a stop-gap rather than a fix, and mind where it applies. On Talos 1.12 and newer, `machine.install.extraKernelArgs` also needs `machine.install.grubUseUKICmdline: false` next to it: `talosctl gen config` writes that field as `true`, and Talos rejects a config carrying both with `install.extraKernelArgs and install.grubUseUKICmdline can't be used together`. On Talos 1.10 and 1.11 the field does not exist and is not needed. That rejection is loud; the remaining failure is not. Even once the config is accepted, the arguments only reach a GRUB-booted node: a fresh UEFI install of Talos 1.10 or newer boots through systemd-boot, where the kernel command line lives inside the Unified Kernel Image, and there Talos takes the arguments without complaint and ignores them. On those nodes the arguments have to be baked into the boot assets with [Image Factory or Imager](https://www.talos.dev/v1.12/talos-guides/install/boot-assets/). Either way, check `/proc/cmdline` on the node afterwards rather than assuming the mitigation took.
{{% alert title="No Talos 1.12 release fixes CVE-2026-53359" color="warning" %}}
[CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape") and CVE-2026-46113 are related use-after-free bugs in the KVM x86 shadow MMU that let a guest VM escape to its host. Both fixes live in the kernel, and no Talos 1.12 release carries the one for CVE-2026-53359: the newest, v1.12.9, ships Linux 6.18.35, while that fix landed in 6.18.38. The complete fix is Talos v1.13.6 or newer: upgrade to a Cozystack release that installs from the Talos 1.13 line, then set the Talos image tag to `v1.13.6` or newer.
The Cozystack Talos image in this release line disables nested virtualization by default. If you need to re-enable it, rebuild the image with the desired kernel arguments baked into the boot assets and verify `/proc/cmdline`.
🧰 Tools
🪛 LanguageTool

[locale-violation] ~132-~132: In American English, ‘afterward’ is the preferred variant. ‘Afterwards’ is more commonly used in British English and other dialects.
Context: ... way, check /proc/cmdline on the node afterwards rather than assuming the mitigation too...

(AFTERWARDS_US)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.3/install/kubernetes/talosctl.md` around lines 129 - 132,
Replace the current Talos 1.12 per-node kernel-args workaround in the advisory
note with the image-level mitigation for v1.3+: update the warning text in
talosctl.md to describe disabling the risky behavior in the Cozystack Talos
image default and rebuilding the image instead of using
machine.install.extraKernelArgs or machine.install.grubUseUKICmdline. Keep the
focus on the image flow and remove the stale node-level guidance so readers are
directed to the correct Talos image/tag-based fix.

@lexfrei Aleksei Sviridkin (lexfrei) changed the title docs: disable KVM nested virtualization in Talos install configs (CVE-2026-53359) docs: point CVE-2026-53359 at the Talos v1.13.6 kernel fix Jul 10, 2026
@lexfrei

Copy link
Copy Markdown
Contributor

You were right about the version mapping, and it changed how these pages are worded. The pre-1.3 install guides hardcode talos:v1.10.3 in the image: line, but the releases themselves install from later lines — v0 from 1.11.6, v1.0 and v1.1 from 1.12.1, v1.2 from 1.12.6 — so a note pinned to any one line would be wrong for part of the audience. Those four versions now say that every release of the 1.10, 1.11 and 1.12 lines is missing at least one of the two fixes, without naming a line.

The mitigation itself has changed since you reviewed. CVE-2026-53359 and the related CVE-2026-46113 are both fixed in the kernel, and Talos v1.13.6 (Linux 6.18.38) is the first release carrying both patches, so the guides now point at the kernel instead of at extraKernelArgs. Nested virtualization stays enabled — once the bug is gone there is no reason to take the feature away from workloads that need it.

Disabling nested virtualization is kept only where the Talos line has no fixed kernel, as an explicit stop-gap, and the note now separates the two very different ways it goes wrong. On Talos 1.12 and newer a config carrying extraKernelArgs is rejected outright unless grubUseUKICmdline is also falsetalosctl gen config writes that field as true — so Talos tells you what is wrong. On systemd-boot, which a fresh UEFI install of 1.10 or newer uses, the command line lives inside the UKI: the arguments are accepted and then ignored, and nothing reports it. On 1.10 and 1.11 the field does not exist and the arguments apply as written on a GRUB-booted node.

The security advisory these notes link to has been updated in the same change, so the doc and the advisory now say the same thing. All eight served docs versions are covered, and the v1.13.6 image tag the notes point at is built by cozystack/cozystack#3240, which has landed.

@lexfrei Aleksei Sviridkin (lexfrei) dismissed IvanHunters’s stale review July 10, 2026 01:41

Addressed in the rework, and the reviewed revision no longer exists — see the reply above for what changed and why. Dismissing so this is not blocked on a review of a version that is gone; another look is very welcome.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants