{"uuid": "1572756d-d1cd-4cc0-bff1-8fb5715d7d70", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-53359", "type": "seen", "source": "https://gist.github.com/lexfrei/4e8e13137f97b60874350ef2ac512f6d", "content": "# Correctly fixing CVE-2026-53359 (Januscape) + CVE-2026-46113 on Talos Linux\n\n## TL;DR\n\nThe config-based mitigation for CVE-2026-53359 that's often recommended \u2014 `machine.install.extraKernelArgs: [kvm_intel.nested=0, kvm_amd.nested=0]` \u2014 **is silently ignored on Talos nodes that boot via systemd-boot / UKI** (bare-metal UEFI is the common case). The kernel command line is baked into the signed UKI and cannot be changed by machine config; `grubUseUKICmdline` only affects GRUB.\n\nThe correct fix is to **upgrade to a Talos build whose kernel already contains the patch** \u2014 Linux **6.18.38**, shipped in **Talos v1.13.6** \u2014 which closes **both** CVEs at the kernel level. Then you don't need to disable nested virtualization at all.\n\n## The two CVEs and their fixed kernels\n\nBoth are KVM x86 shadow-paging use-after-free bugs enabling guest-to-host escape:\n\n| CVE | Fixed in the 6.18.x line |\n| --- | --- |\n| CVE-2026-46113 | 6.18.30 |\n| CVE-2026-53359 (Januscape) | 6.18.38 |\n\nStable kernels are cumulative, so **6.18.38 contains both fixes**. Mapping to Talos:\n\n- Talos **v1.13.5** \u2192 kernel 6.18.36 \u2192 fixes only 46113 (NOT 53359).\n- Talos **v1.13.6** \u2192 kernel 6.18.38 \u2192 fixes **both**.\n\nSo bump to **v1.13.6**, not v1.13.5.\n\n## Why the config mitigation fails on systemd-boot\n\nTalos docs, verbatim: *\"the `.machine.install.extraKernelArgs` field is ignored, as kernel arguments are embedded in the UKI and cannot be modified without upgrading the UKI.\"*\n\n- `kvm_intel`/`kvm_amd` are built into the Talos kernel, so `modprobe.d` does nothing and `/sys/module/kvm_intel/parameters/nested` is `0444` (read-only). `nested=` is settable only via the kernel command line.\n- On systemd-boot the cmdline lives inside the signed UKI, so `extraKernelArgs` are dropped \u2014 Talos even warns `extra kernel arguments are not supported when booting using SDBoot`.\n- `grubUseUKICmdline: false` only helps GRUB nodes. On a systemd-boot node, `talosctl upgrade` with these args leaves `/proc/cmdline` unchanged and nested stays on.\n\nSo on systemd-boot nodes, disabling nested via config is not possible \u2014 but you don't need to. Just run a fixed kernel.\n\n## The fix \u2014 upgrade to Talos v1.13.6\n\nIf your nodes use system extensions (drbd, zfs, firmware, GPU, ucode), build a Talos Image Factory schematic and upgrade to it. Nothing here requires a custom-built image \u2014 Image Factory assembles the stock installer plus the official extensions declaratively.\n\n### 1. Create a schematic with your extensions\n\n```sh\ncat &gt; schematic.yaml &lt;&lt;'YAML'\ncustomization:\n  systemExtensions:\n    officialExtensions:\n      - siderolabs/drbd\n      - siderolabs/zfs\n      - siderolabs/amd-ucode\n      - siderolabs/intel-ucode\n      - siderolabs/amdgpu\n      - siderolabs/i915\n      - siderolabs/bnx2-bnx2x\n      - siderolabs/intel-ice-firmware\n      - siderolabs/qlogic-firmware\nYAML\n\ncurl -sX POST --data-binary @schematic.yaml https://factory.talos.dev/schematics\n# -&gt; {\"id\":\"\"}\n```\n\nTrim the extension list to what your cluster actually uses.\n\n### 2. Upgrade node-by-node\n\n```sh\ntalosctl -n  upgrade \\\n  --image factory.talos.dev/installer/:v1.13.6\n```\n\n`talosctl upgrade` re-runs the installer, rewrites the boot assets and reboots. Roll one node at a time; on control-plane nodes wait for etcd and your CSI/storage to be healthy between nodes. Note: Talos only tests migrations between adjacent minors, so from an old release upgrade sequentially through each minor's latest patch (e.g. 1.10 \u2192 1.11 \u2192 1.12 \u2192 1.13) rather than jumping straight.\n\n### 3. Verify\n\n```sh\ntalosctl -n  version                          # Server: v1.13.6\ntalosctl -n  read /proc/sys/kernel/osrelease  # 6.18.38-talos\ntalosctl -n  get extensions                   # your extensions present\n```\n\n`kvm_intel.nested` may stay `Y` \u2014 that is fine; the vulnerable code path is fixed in the kernel.\n\n## Ready example (Cozystack extension set)\n\nA schematic with the standard Cozystack extension set (drbd, zfs, amd/intel-ucode, amdgpu, i915, bnx2-bnx2x, intel-ice-firmware, qlogic-firmware):\n\n- Schematic ID: `be66fdc8a38c2f517f33cba0a6daa7ab97ff87d51e8ca7d2160e45911ba09cf5`\n- Installer: `factory.talos.dev/installer/be66fdc8a38c2f517f33cba0a6daa7ab97ff87d51e8ca7d2160e45911ba09cf5:v1.13.6`\n\n## References\n\n- CVE-2026-53359 (Januscape): https://nvd.nist.gov/vuln/detail/CVE-2026-53359\n- CVE-2026-46113: https://nvd.nist.gov/vuln/detail/CVE-2026-46113\n- Talos bootloader (GRUB vs systemd-boot, UKI cmdline): https://docs.siderolabs.com/talos/v1.13/platform-specific-installations/bare-metal-platforms/bootloader\n- Talos Image Factory: https://factory.talos.dev\n", "creation_timestamp": "2026-07-09T12:33:33.641301Z"}