https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html The above blog post describes a security issue on AMD CPUs with nested KVM enabled and refers to another post about previous issues with KVM on Intel. The vast majority of KVM users don't use nested KVM. As it's easy to determine whether nested KVM is enabled (if you have a reason to look for it) it won't be a great inconvenience to users of nested KVM to default to disabling it. But for the majority who don't have a need for it enabling that feature by default increases the attack surface for no benefit and they won't notice it. I believe that the default for KVM should be to disable nested virtualisation. This could be done by a kernel patch or by the configuration of kmod. I think it's best to get the kernel people to consider it first, we can transfer the bug to kmod if you think that's best. For users who read this, the following in /etc/modprobe.d/kvm.conf will cause nested virtualisation to be disabled the next time the KVM module is loaded: options kvm_intel nested=0 options kvm_amd nested=0