Skip to content

docs: disable KVM nested virtualization in Talos install configs (CVE-2026-53359)#602

Open
Andrei Kvapil (kvaps) wants to merge 3 commits into
mainfrom
security/cve-2026-53359-disable-nested-virt
Open

docs: disable KVM nested virtualization in Talos install configs (CVE-2026-53359)#602
Andrei Kvapil (kvaps) wants to merge 3 commits into
mainfrom
security/cve-2026-53359-disable-nested-virt

Conversation

@kvaps

@kvaps Andrei Kvapil (kvaps) commented Jul 7, 2026

Copy link
Copy Markdown
Member

Summary

Adds the KVM nested-virtualization disable to the Talos install machine-config examples across all docs versions, to mitigate CVE-2026-53359 ("Januscape"), a guest-to-host escape in the Linux KVM/x86 shadow MMU (a use-after-free in kvm_mmu_get_child_sp() from shadow-page role confusion).

The vulnerable code path is only reachable when a guest is allowed to use nested virtualization; disabling it on the host removes the attack surface regardless of the node kernel patch level. Fixed upstream in 81ccda30b4e8 / stable 6.12.95, 6.6.144, 6.1.177, 6.18.38, 7.1.3 (2026-07-04); no released Talos ships the fixed kernel yet.

Change

Adds kvm_intel.nested=0 and kvm_amd.nested=0 to machine.install.extraKernelArgs in install/kubernetes/talos-bootstrap.md and talosctl.md across every docs version (next, v0, v1.0v1.5). Both args are set so a single config works on Intel and AMD hosts. A reader who needs nested virt can remove them once the node kernel is patched.

Part of a coordinated set of PRs (see Related PRs below).

Related PRs

Coordinated CVE-2026-53359 (Januscape) nested-virtualization mitigation across Cozystack repos:

Summary by CodeRabbit

  • Documentation
    • Updated Kubernetes installation examples across multiple Talos versions.
    • Clarified boot configuration for newer Talos releases.
    • Added kernel arguments to disable nested virtualization on Intel and AMD systems.
    • Included security-related notes and CVE references in the examples.

…-2026-53359)

Add kvm_intel.nested=0 and kvm_amd.nested=0 to machine.install.extraKernelArgs in the Talos install machine-config examples across all docs versions, to mitigate CVE-2026-53359 (Januscape), a KVM guest-to-host escape reachable only when nested virtualization is exposed to the guest.

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
Assisted-By: Claude <noreply@anthropic.com>
@netlify

netlify Bot commented Jul 7, 2026

Copy link
Copy Markdown

Deploy Preview for cozystack ready!

Name Link
🔨 Latest commit a593dc6
🔍 Latest deploy log https://app.netlify.com/projects/cozystack/deploys/6a4d4c4b6694070008bb173f
😎 Deploy Preview https://deploy-preview-602--cozystack.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Documentation across all versioned Talos install guides (next, v0, v1.0–v1.5) is updated to add extraKernelArgs entries disabling KVM nested virtualization for Intel and AMD, referencing CVE-2026-53359. Later versions (next, v1.3–v1.5) additionally add grubUseUKICmdline: false with Talos >=1.12 guidance.

Changes

Talos patch.yaml Documentation Updates

Layer / File(s) Summary
next docs patch.yaml updates
content/en/docs/next/install/kubernetes/talos-bootstrap.md, content/en/docs/next/install/kubernetes/talosctl.md
Adds grubUseUKICmdline: false with Talos >=1.12 guidance and extraKernelArgs disabling nested KVM virtualization for Intel/AMD, with CVE comment.
v0 docs patch.yaml updates
content/en/docs/v0/install/kubernetes/talos-bootstrap.md, content/en/docs/v0/install/kubernetes/talosctl.md
Adds extraKernelArgs disabling nested KVM virtualization for Intel/AMD with CVE-2026-53359 comment.
v1.0 docs patch.yaml updates
content/en/docs/v1.0/install/kubernetes/talos-bootstrap.md, content/en/docs/v1.0/install/kubernetes/talosctl.md
Adds extraKernelArgs disabling nested KVM virtualization for Intel/AMD with CVE comment.
v1.1 docs patch.yaml updates
content/en/docs/v1.1/install/kubernetes/talos-bootstrap.md, content/en/docs/v1.1/install/kubernetes/talosctl.md
Adds extraKernelArgs disabling nested KVM virtualization for Intel/AMD with CVE comment.
v1.2 docs patch.yaml updates
content/en/docs/v1.2/install/kubernetes/talos-bootstrap.md, content/en/docs/v1.2/install/kubernetes/talosctl.md
Adds extraKernelArgs disabling nested KVM virtualization for Intel/AMD with CVE comment.
v1.3 docs patch.yaml updates
content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md, content/en/docs/v1.3/install/kubernetes/talosctl.md
Adds grubUseUKICmdline: false and extraKernelArgs disabling nested KVM virtualization for Intel/AMD, with CVE comment.
v1.4 docs patch.yaml updates
content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md, content/en/docs/v1.4/install/kubernetes/talosctl.md
Adds grubUseUKICmdline: false and extraKernelArgs disabling nested KVM virtualization for Intel/AMD, with CVE comment.
v1.5 docs patch.yaml updates
content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md, content/en/docs/v1.5/install/kubernetes/talosctl.md
Adds grubUseUKICmdline: false and extraKernelArgs disabling nested KVM virtualization for Intel/AMD, with CVE comment.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Suggested reviewers: NickVolynkin

🐰📝
Sixteen patches, one refrain,
nested KVM turned off again,
across each version, hop by hop,
a CVE comment lands on top.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: disabling KVM nested virtualization in Talos install configs for a specific CVE mitigation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch security/cve-2026-53359-disable-nested-virt

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the Talos installation documentation across multiple versions to add kernel arguments (kvm_intel.nested=0 and kvm_amd.nested=0) to mitigate CVE-2026-53359 by disabling KVM nested virtualization. The review feedback points out that on UEFI-booted systems using Talos 1.10+, these extraKernelArgs are silently ignored due to the use of Unified Kernel Images (UKIs). It is recommended to add a warning note in the documentation advising users to bake these arguments into the boot assets using the Image Factory or Imager instead.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines +68 to +71
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

Starting with Talos 1.10, fresh installations on UEFI systems use systemd-boot and Unified Kernel Images (UKIs). On these systems, the .machine.install.extraKernelArgs field in the machine configuration is completely ignored because kernel arguments are embedded directly within the UKI.

Since all documentation versions from v0 (using Talos v1.10.3) to next (using Talos v1.13.0) target Talos 1.10+, this mitigation will be silently ignored on any UEFI-booted nodes, leaving them vulnerable to CVE-2026-53359.

To ensure users are actually protected, please add a warning note in the documentation explaining that on UEFI-booted systems, these kernel arguments must be baked into the boot assets using the Image Factory or Imager (via customization schematics) instead of relying on extraKernelArgs in the machine configuration.

Suggested change
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
# Note: This is ignored on UEFI systems using Talos 1.10+ (use Image Factory instead)
- kvm_intel.nested=0
- kvm_amd.nested=0

… apply (CVE-2026-53359)

extraKernelArgs is rejected/ignored under the UKI cmdline on Talos >=1.12; pin grubUseUKICmdline=false in the >=1.12 docs (next, v1.3-v1.5) so the mitigation actually takes effect.

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
Assisted-By: Claude <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@content/en/docs/next/install/kubernetes/talosctl.md`:
- Around line 88-94: The Talos patch example has an invalid YAML structure
because the extraKernelArgs list is not nested under its key. Update the example
in the talosctl docs so extraKernelArgs and its commented kernel args are
indented one level deeper beneath grubUseUKICmdline, keeping the list items
aligned under extraKernelArgs for valid YAML.

In `@content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md`:
- Around line 68-74: The Talos bootstrap YAML example has the extraKernelArgs
list at the wrong indentation level, so the sequence items are not nested under
the key. Update the talos-bootstrap.md example so extraKernelArgs: is followed
by an indented comment and both kvm_intel.nested=0 and kvm_amd.nested=0 entries
one level deeper, keeping the block aligned with the surrounding YAML structure.

In `@content/en/docs/v1.3/install/kubernetes/talosctl.md`:
- Around line 88-94: The Talos install example has invalid YAML because the
extraKernelArgs list is not nested under its key. Update the talosctl markdown
snippet so the comments and both kernel argument entries are indented one level
deeper under extraKernelArgs, keeping grubUseUKICmdline in the same block and
preserving the example’s structure.

In `@content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md`:
- Around line 68-74: The Talos bootstrap YAML example has a malformed
`extraKernelArgs` block because the comment and both `kvm_intel.nested=0` /
`kvm_amd.nested=0` entries are not indented under `extraKernelArgs:`. Update the
`talos-bootstrap.md` snippet so the `extraKernelArgs` key in the bootstrap
example contains an indented list, keeping the comment and both list items
nested beneath it.

In `@content/en/docs/v1.4/install/kubernetes/talosctl.md`:
- Around line 88-94: The Talos install example has an invalid YAML structure
because the extraKernelArgs sequence items are not nested under the
extraKernelArgs key. Update the example in the talosctl install section so the
comment and both kernel args are indented one level deeper under
extraKernelArgs, keeping the surrounding grubUseUKICmdline setting unchanged.

In `@content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md`:
- Around line 68-74: The Talos bootstrap example has an invalid YAML structure
because the `extraKernelArgs` sequence items are not nested under the
`extraKernelArgs` key. Update the `talos-bootstrap.md` example so the comment
and both `kvm_intel.nested=0` and `kvm_amd.nested=0` entries are indented one
level under `extraKernelArgs`, keeping the surrounding `grubUseUKICmdline` block
in `talos-bootstrap` unchanged.

In `@content/en/docs/v1.5/install/kubernetes/talosctl.md`:
- Around line 88-94: The YAML example in talosctl.md has the extraKernelArgs
list at the wrong indentation level, making the patch invalid. Update the Talos
config snippet so the extraKernelArgs key in the affected block has its comment
and both kernel arguments nested one level deeper under it, keeping the
surrounding grubUseUKICmdline example unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 382f866a-9b3e-4ada-823c-5c6423541a60

📥 Commits

Reviewing files that changed from the base of the PR and between f5e48b1 and 642dbb2.

📒 Files selected for processing (16)
  • content/en/docs/next/install/kubernetes/talos-bootstrap.md
  • content/en/docs/next/install/kubernetes/talosctl.md
  • content/en/docs/v0/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v0/install/kubernetes/talosctl.md
  • content/en/docs/v1.0/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.0/install/kubernetes/talosctl.md
  • content/en/docs/v1.1/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.1/install/kubernetes/talosctl.md
  • content/en/docs/v1.2/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.2/install/kubernetes/talosctl.md
  • content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.3/install/kubernetes/talosctl.md
  • content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.4/install/kubernetes/talosctl.md
  • content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md
  • content/en/docs/v1.5/install/kubernetes/talosctl.md

Comment on lines +88 to +94
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

The list items are rendered at the same indentation level as extraKernelArgs:, so this patch example is not valid YAML as written. Please nest the comment and both kernel args one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/next/install/kubernetes/talosctl.md` around lines 88 - 94,
The Talos patch example has an invalid YAML structure because the
extraKernelArgs list is not nested under its key. Update the example in the
talosctl docs so extraKernelArgs and its commented kernel args are indented one
level deeper beneath grubUseUKICmdline, keeping the list items aligned under
extraKernelArgs for valid YAML.

Comment on lines +68 to +74
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

This block reads as if the sequence items are at the same level as extraKernelArgs:, which breaks the YAML example. Please indent the comment and both - kvm_* entries one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md` around lines 68 -
74, The Talos bootstrap YAML example has the extraKernelArgs list at the wrong
indentation level, so the sequence items are not nested under the key. Update
the talos-bootstrap.md example so extraKernelArgs: is followed by an indented
comment and both kvm_intel.nested=0 and kvm_amd.nested=0 entries one level
deeper, keeping the block aligned with the surrounding YAML structure.

Comment on lines +88 to +94
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

As written, the list items sit alongside extraKernelArgs: instead of nesting under it, so the example is not valid YAML. Please push the comment and both kernel args one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.3/install/kubernetes/talosctl.md` around lines 88 - 94,
The Talos install example has invalid YAML because the extraKernelArgs list is
not nested under its key. Update the talosctl markdown snippet so the comments
and both kernel argument entries are indented one level deeper under
extraKernelArgs, keeping grubUseUKICmdline in the same block and preserving the
example’s structure.

Comment on lines +68 to +74
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

The current indentation makes the list items look sibling-level to extraKernelArgs:, which breaks the YAML example. Please indent the comment and both - kvm_* entries one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md` around lines 68 -
74, The Talos bootstrap YAML example has a malformed `extraKernelArgs` block
because the comment and both `kvm_intel.nested=0` / `kvm_amd.nested=0` entries
are not indented under `extraKernelArgs:`. Update the `talos-bootstrap.md`
snippet so the `extraKernelArgs` key in the bootstrap example contains an
indented list, keeping the comment and both list items nested beneath it.

Comment on lines +88 to +94
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

The example needs the sequence items nested under extraKernelArgs:; otherwise it is invalid YAML for readers copying it into a patch file. Please indent the comment and both kernel args one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.4/install/kubernetes/talosctl.md` around lines 88 - 94,
The Talos install example has an invalid YAML structure because the
extraKernelArgs sequence items are not nested under the extraKernelArgs key.
Update the example in the talosctl install section so the comment and both
kernel args are indented one level deeper under extraKernelArgs, keeping the
surrounding grubUseUKICmdline setting unchanged.

Comment on lines +68 to +74
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

As rendered here, the sequence items are not nested under extraKernelArgs:, so the example will not parse as YAML. Please indent the comment and both - kvm_* entries one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md` around lines 68 -
74, The Talos bootstrap example has an invalid YAML structure because the
`extraKernelArgs` sequence items are not nested under the `extraKernelArgs` key.
Update the `talos-bootstrap.md` example so the comment and both
`kvm_intel.nested=0` and `kvm_amd.nested=0` entries are indented one level under
`extraKernelArgs`, keeping the surrounding `grubUseUKICmdline` block in
`talos-bootstrap` unchanged.

Comment on lines +88 to +94
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Indent the extraKernelArgs list under its key.

The sequence items need to be nested under extraKernelArgs:; otherwise the patch example is invalid YAML. Please indent the comment and both kernel args one level deeper.

Fix
         grubUseUKICmdline: false
         extraKernelArgs:
-        # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
-        - kvm_intel.nested=0
-        - kvm_amd.nested=0
+          # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
+          - kvm_intel.nested=0
+          - kvm_amd.nested=0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
# On Talos >=1.12 pin grubUseUKICmdline false so the args land on the
# Talos-built cmdline (Talos rejects/ignores extraKernelArgs under UKI).
grubUseUKICmdline: false
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/v1.5/install/kubernetes/talosctl.md` around lines 88 - 94,
The YAML example in talosctl.md has the extraKernelArgs list at the wrong
indentation level, making the patch invalid. Update the Talos config snippet so
the extraKernelArgs key in the affected block has its comment and both kernel
arguments nested one level deeper under it, keeping the surrounding
grubUseUKICmdline example unchanged.

)

On Talos <1.12 machine.install.extraKernelArgs is a no-op on UEFI/UKI nodes and grubUseUKICmdline does not exist to opt out, so the snippet did nothing on modern hardware. Remove it from the v0-v1.2 guides (Talos v1.10.3); ≥1.12 guides keep the working grubUseUKICmdline=false + extraKernelArgs form.

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
Assisted-By: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant