CVE-2026-43499 (GhostLock): Cozystack Exposure Assessment
CVE-2026-43499 (GhostLock) is a Linux kernel local privilege escalation. Cozystack is not exposed by design, and the fix is the same Talos v1.13.6 kernel upgrade.
CVE-2026-43499 (GhostLock) is a Linux kernel local privilege escalation. Cozystack is not exposed by design, and the fix is the same Talos v1.13.6 kernel upgrade.
The proper fix for CVE-2026-53359 (Januscape) and CVE-2026-46113 is a kernel bump, not disabling nested virtualization — with a Talos Linux upgrade runbook.
How Cozystack isolates tenants on bare metal by default with Cilium eBPF policies, plus optional Kube-OVN VPCs for workloads that need dedicated subnets.
CVE-2026-53359 (“Januscape”) is a KVM guest-to-host escape affecting all current Talos kernels. Cozystack clusters that run VMs or tenant Kubernetes should disable nested virtualization now.
Cozystack v0.41 adds MongoDB as a managed application, introduces the Edit button and resource quota usage in the dashboard, adds JWT token verification, and enables cert-manager Gateway API support.
Talm v0.17 introduces built-in age encryption for secure secrets management, making it easier to store sensitive configuration files in Git repositories while maintaining security best practices.
How we solved the chicken-and-egg problem of deploying CNI and kube-proxy through Flux while ensuring Flux itself works without CNI and kube-proxy, using Kubernetes API routing and mTLS certificates.
Cozystack v0.38 introduces Virtual Private Cloud with Multus CNI, VNC console for VMs in the dashboard, configurable Kubernetes worker versions, and HTTPS-only enforcement for the API.
This release focuses on enhancing stability while addressing a significant number of bugs and introducing new features.
Cozystack v0.19 integrates Keycloak for SSO authentication, adds services to the dashboard, updates KubeVirt to v1.4.0, and brings new versions of Cilium, LINSTOR, and MetalLB.