docs: disable KVM nested virtualization in Talos install configs (CVE-2026-53359)#602
docs: disable KVM nested virtualization in Talos install configs (CVE-2026-53359)#602Andrei Kvapil (kvaps) wants to merge 3 commits into
Conversation
…-2026-53359) Add kvm_intel.nested=0 and kvm_amd.nested=0 to machine.install.extraKernelArgs in the Talos install machine-config examples across all docs versions, to mitigate CVE-2026-53359 (Januscape), a KVM guest-to-host escape reachable only when nested virtualization is exposed to the guest. Signed-off-by: Andrei Kvapil <kvapss@gmail.com> Assisted-By: Claude <noreply@anthropic.com>
✅ Deploy Preview for cozystack ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
📝 WalkthroughWalkthroughDocumentation across all versioned Talos install guides (next, v0, v1.0–v1.5) is updated to add ChangesTalos patch.yaml Documentation Updates
Estimated code review effort: 1 (Trivial) | ~5 minutes Suggested reviewers: 🐰📝 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request updates the Talos installation documentation across multiple versions to add kernel arguments (kvm_intel.nested=0 and kvm_amd.nested=0) to mitigate CVE-2026-53359 by disabling KVM nested virtualization. The review feedback points out that on UEFI-booted systems using Talos 1.10+, these extraKernelArgs are silently ignored due to the use of Unified Kernel Images (UKIs). It is recommended to add a warning note in the documentation advising users to bake these arguments into the boot assets using the Image Factory or Imager instead.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
Starting with Talos 1.10, fresh installations on UEFI systems use systemd-boot and Unified Kernel Images (UKIs). On these systems, the .machine.install.extraKernelArgs field in the machine configuration is completely ignored because kernel arguments are embedded directly within the UKI.
Since all documentation versions from v0 (using Talos v1.10.3) to next (using Talos v1.13.0) target Talos 1.10+, this mitigation will be silently ignored on any UEFI-booted nodes, leaving them vulnerable to CVE-2026-53359.
To ensure users are actually protected, please add a warning note in the documentation explaining that on UEFI-booted systems, these kernel arguments must be baked into the boot assets using the Image Factory or Imager (via customization schematics) instead of relying on extraKernelArgs in the machine configuration.
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| # Note: This is ignored on UEFI systems using Talos 1.10+ (use Image Factory instead) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
… apply (CVE-2026-53359) extraKernelArgs is rejected/ignored under the UKI cmdline on Talos >=1.12; pin grubUseUKICmdline=false in the >=1.12 docs (next, v1.3-v1.5) so the mitigation actually takes effect. Signed-off-by: Andrei Kvapil <kvapss@gmail.com> Assisted-By: Claude <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 7
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@content/en/docs/next/install/kubernetes/talosctl.md`:
- Around line 88-94: The Talos patch example has an invalid YAML structure
because the extraKernelArgs list is not nested under its key. Update the example
in the talosctl docs so extraKernelArgs and its commented kernel args are
indented one level deeper beneath grubUseUKICmdline, keeping the list items
aligned under extraKernelArgs for valid YAML.
In `@content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md`:
- Around line 68-74: The Talos bootstrap YAML example has the extraKernelArgs
list at the wrong indentation level, so the sequence items are not nested under
the key. Update the talos-bootstrap.md example so extraKernelArgs: is followed
by an indented comment and both kvm_intel.nested=0 and kvm_amd.nested=0 entries
one level deeper, keeping the block aligned with the surrounding YAML structure.
In `@content/en/docs/v1.3/install/kubernetes/talosctl.md`:
- Around line 88-94: The Talos install example has invalid YAML because the
extraKernelArgs list is not nested under its key. Update the talosctl markdown
snippet so the comments and both kernel argument entries are indented one level
deeper under extraKernelArgs, keeping grubUseUKICmdline in the same block and
preserving the example’s structure.
In `@content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md`:
- Around line 68-74: The Talos bootstrap YAML example has a malformed
`extraKernelArgs` block because the comment and both `kvm_intel.nested=0` /
`kvm_amd.nested=0` entries are not indented under `extraKernelArgs:`. Update the
`talos-bootstrap.md` snippet so the `extraKernelArgs` key in the bootstrap
example contains an indented list, keeping the comment and both list items
nested beneath it.
In `@content/en/docs/v1.4/install/kubernetes/talosctl.md`:
- Around line 88-94: The Talos install example has an invalid YAML structure
because the extraKernelArgs sequence items are not nested under the
extraKernelArgs key. Update the example in the talosctl install section so the
comment and both kernel args are indented one level deeper under
extraKernelArgs, keeping the surrounding grubUseUKICmdline setting unchanged.
In `@content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md`:
- Around line 68-74: The Talos bootstrap example has an invalid YAML structure
because the `extraKernelArgs` sequence items are not nested under the
`extraKernelArgs` key. Update the `talos-bootstrap.md` example so the comment
and both `kvm_intel.nested=0` and `kvm_amd.nested=0` entries are indented one
level under `extraKernelArgs`, keeping the surrounding `grubUseUKICmdline` block
in `talos-bootstrap` unchanged.
In `@content/en/docs/v1.5/install/kubernetes/talosctl.md`:
- Around line 88-94: The YAML example in talosctl.md has the extraKernelArgs
list at the wrong indentation level, making the patch invalid. Update the Talos
config snippet so the extraKernelArgs key in the affected block has its comment
and both kernel arguments nested one level deeper under it, keeping the
surrounding grubUseUKICmdline example unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 382f866a-9b3e-4ada-823c-5c6423541a60
📒 Files selected for processing (16)
content/en/docs/next/install/kubernetes/talos-bootstrap.mdcontent/en/docs/next/install/kubernetes/talosctl.mdcontent/en/docs/v0/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v0/install/kubernetes/talosctl.mdcontent/en/docs/v1.0/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.0/install/kubernetes/talosctl.mdcontent/en/docs/v1.1/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.1/install/kubernetes/talosctl.mdcontent/en/docs/v1.2/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.2/install/kubernetes/talosctl.mdcontent/en/docs/v1.3/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.3/install/kubernetes/talosctl.mdcontent/en/docs/v1.4/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.4/install/kubernetes/talosctl.mdcontent/en/docs/v1.5/install/kubernetes/talos-bootstrap.mdcontent/en/docs/v1.5/install/kubernetes/talosctl.md
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
The list items are rendered at the same indentation level as extraKernelArgs:, so this patch example is not valid YAML as written. Please nest the comment and both kernel args one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/next/install/kubernetes/talosctl.md` around lines 88 - 94,
The Talos patch example has an invalid YAML structure because the
extraKernelArgs list is not nested under its key. Update the example in the
talosctl docs so extraKernelArgs and its commented kernel args are indented one
level deeper beneath grubUseUKICmdline, keeping the list items aligned under
extraKernelArgs for valid YAML.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
This block reads as if the sequence items are at the same level as extraKernelArgs:, which breaks the YAML example. Please indent the comment and both - kvm_* entries one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md` around lines 68 -
74, The Talos bootstrap YAML example has the extraKernelArgs list at the wrong
indentation level, so the sequence items are not nested under the key. Update
the talos-bootstrap.md example so extraKernelArgs: is followed by an indented
comment and both kvm_intel.nested=0 and kvm_amd.nested=0 entries one level
deeper, keeping the block aligned with the surrounding YAML structure.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
As written, the list items sit alongside extraKernelArgs: instead of nesting under it, so the example is not valid YAML. Please push the comment and both kernel args one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.3/install/kubernetes/talosctl.md` around lines 88 - 94,
The Talos install example has invalid YAML because the extraKernelArgs list is
not nested under its key. Update the talosctl markdown snippet so the comments
and both kernel argument entries are indented one level deeper under
extraKernelArgs, keeping grubUseUKICmdline in the same block and preserving the
example’s structure.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
The current indentation makes the list items look sibling-level to extraKernelArgs:, which breaks the YAML example. Please indent the comment and both - kvm_* entries one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md` around lines 68 -
74, The Talos bootstrap YAML example has a malformed `extraKernelArgs` block
because the comment and both `kvm_intel.nested=0` / `kvm_amd.nested=0` entries
are not indented under `extraKernelArgs:`. Update the `talos-bootstrap.md`
snippet so the `extraKernelArgs` key in the bootstrap example contains an
indented list, keeping the comment and both list items nested beneath it.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
The example needs the sequence items nested under extraKernelArgs:; otherwise it is invalid YAML for readers copying it into a patch file. Please indent the comment and both kernel args one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.4/install/kubernetes/talosctl.md` around lines 88 - 94,
The Talos install example has an invalid YAML structure because the
extraKernelArgs sequence items are not nested under the extraKernelArgs key.
Update the example in the talosctl install section so the comment and both
kernel args are indented one level deeper under extraKernelArgs, keeping the
surrounding grubUseUKICmdline setting unchanged.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
As rendered here, the sequence items are not nested under extraKernelArgs:, so the example will not parse as YAML. Please indent the comment and both - kvm_* entries one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md` around lines 68 -
74, The Talos bootstrap example has an invalid YAML structure because the
`extraKernelArgs` sequence items are not nested under the `extraKernelArgs` key.
Update the `talos-bootstrap.md` example so the comment and both
`kvm_intel.nested=0` and `kvm_amd.nested=0` entries are indented one level under
`extraKernelArgs`, keeping the surrounding `grubUseUKICmdline` block in
`talos-bootstrap` unchanged.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | ||
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | ||
| grubUseUKICmdline: false | ||
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Indent the extraKernelArgs list under its key.
The sequence items need to be nested under extraKernelArgs:; otherwise the patch example is invalid YAML. Please indent the comment and both kernel args one level deeper.
Fix
grubUseUKICmdline: false
extraKernelArgs:
- # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- - kvm_intel.nested=0
- - kvm_amd.nested=0
+ # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+ - kvm_intel.nested=0
+ - kvm_amd.nested=0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 | |
| # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the | |
| # Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI). | |
| grubUseUKICmdline: false | |
| extraKernelArgs: | |
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | |
| - kvm_intel.nested=0 | |
| - kvm_amd.nested=0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@content/en/docs/v1.5/install/kubernetes/talosctl.md` around lines 88 - 94,
The YAML example in talosctl.md has the extraKernelArgs list at the wrong
indentation level, making the patch invalid. Update the Talos config snippet so
the extraKernelArgs key in the affected block has its comment and both kernel
arguments nested one level deeper under it, keeping the surrounding
grubUseUKICmdline example unchanged.
) On Talos <1.12 machine.install.extraKernelArgs is a no-op on UEFI/UKI nodes and grubUseUKICmdline does not exist to opt out, so the snippet did nothing on modern hardware. Remove it from the v0-v1.2 guides (Talos v1.10.3); ≥1.12 guides keep the working grubUseUKICmdline=false + extraKernelArgs form. Signed-off-by: Andrei Kvapil <kvapss@gmail.com> Assisted-By: Claude <noreply@anthropic.com>
Summary
Adds the KVM nested-virtualization disable to the Talos install machine-config examples across all docs versions, to mitigate CVE-2026-53359 ("Januscape"), a guest-to-host escape in the Linux KVM/x86 shadow MMU (a use-after-free in
kvm_mmu_get_child_sp()from shadow-page role confusion).The vulnerable code path is only reachable when a guest is allowed to use nested virtualization; disabling it on the host removes the attack surface regardless of the node kernel patch level. Fixed upstream in
81ccda30b4e8/ stable 6.12.95, 6.6.144, 6.1.177, 6.18.38, 7.1.3 (2026-07-04); no released Talos ships the fixed kernel yet.Change
Adds
kvm_intel.nested=0andkvm_amd.nested=0tomachine.install.extraKernelArgsininstall/kubernetes/talos-bootstrap.mdandtalosctl.mdacross every docs version (next,v0,v1.0–v1.5). Both args are set so a single config works on Intel and AMD hosts. A reader who needs nested virt can remove them once the node kernel is patched.Part of a coordinated set of PRs (see Related PRs below).
Related PRs
Coordinated CVE-2026-53359 (Januscape) nested-virtualization mitigation across Cozystack repos:
cozystack/genericpresets (canonical source)Summary by CodeRabbit