Edera

Kata Containers. KubeVirt. OpenStack. Most production virtualization sits on QEMU. When QEMU has a bug, the blast radius is the entire stack downstream of it. This week, Calif's research team published a QEMU/UTM guest-to-host escape. The vulnerability existed in UTM's bundled QEMU because it hadn't backported a fix from upstream. Claude found the bug, designed a novel read primitive using QEMU's own VNC server, and wrote a working exploit chain — mostly from one-liner prompts. The bug class: integer overflow in virtio-gpu device emulation. The same broad class of attack surface that produced VENOM in 2015, CVE-2020-14364, CVE-2021-20255, and CVE-2026-5747 in Firecracker this month. This is the vulnerability class AI excels at finding. Device emulation means parsing untrusted guest input with host-side privileges. Every queue index, buffer address, register write, descriptor flag — all untrusted, all processed by code that a frontier model can hold entirely in context and probe systematically. We've been saying: "smaller attack surface". This was the right strategy when the constraint was human attention. It's the wrong strategy when frontier models can fully audit a 500,000-line codebase in hours. Edera's architecture removes the VMM attack surface entirely. No QEMU. No device emulation. No virtio. IDM over shared memory instead. CVE-2026-5747 and the QEMU escape aren't vulnerabilities Edera patches; they're a vulnerability class that doesn't exist in our architecture. Read more on why minimal is no longer enough → https://lnkd.in/edXDX6Pw

Run Untrusted AI Code at Scale Without Performance Penalties with Edera and Google Cloud #Edera #GoogleCloud #GoogleCloudSpringboard #GoogleCloudPartners

There is a growing interest discussing security boundaries, and indeed that is what we claim as our core competence here at Edera: isolation of workloads through virtualization. I want to address something that continues to appear in communications but is a long-standing concern that I feel has bit-rotted: a virtual machine is not today what it was a decade ago. By that I do not refer to the hardware support or the acceleration (which yes has changed significantly), but rather what it is we stick into the VM after the hypervisor reaches the entry point for the guest software stack. That is to say, we aren't putting the same system software stacks into a virtual machine as we used to (outside of research). Yet we are still holding on to the old definition that a VM is akin to booting a full desktop or server operating system. These have multi-GiB disks, need lots of RAM, CPUs, and are slow to boot, thus I see communications saying "micro-vm" or similar to differentiate the solutions provided. A "virtual machine" is merely a mechanism, and does not define what you do with it. Thus I want to suggest that we should not be holding on to the legacy notion of a VM being heavy-weight, slow, etc. End users wanting to run other interactive apps, games, etc. would need a full OS. But in the enterprise an security world, we are not doing this (if we are, we should not be). A VM in today's context is just the security boundary provided by the hypervisor. We see many instances today where we are not putting a full operating system stack and disk image into them (our own stack, and Apple's container support being the most notable recently). We are not running full operating system images in our virtual machines, so that seems inaccurate to use as the status-quo when describing our virtual machine solutions today. VMs are not slow - the software stack inside is.

Continuing my KCD tour this month, I'll be headed to KCD Helsinki - May 20, 2026 next week! The wonderful Lucas Käldström convinced me to fly out to Finland to talk about software supply chain security. It should be a fun talk looking back at both the hype and the real progress we've made (and haven't made) in making software supply chains more secure. And I have a plan to get all attendees to improve their supply chain security live at the event, so come watch to find out how. If you'll be at the conference come find me to chat supply chains, isolation, Edera, or really anything cool you've been thinking about. Plus I have a little time to explore Helsinki! So if you have any tips for what I should see, do, or eat let me know.

📣 #cdCon | May 18–19 | Minneapolis, MN at #OSSummit ⚡ Built Clean. Receipts Attached - Adolfo García Veytia, Carabiner Systems & Alex Zenla, Edera || Abstract: https://hubs.la/Q04gzF4k0 ➡️ Event details: https://hubs.la/Q04gzthv0

The Toronto Maple Leafs fired Craig Berube this morning. It may or may not be because they heard I was in town and are hoping to bring me in… Unfortunately for them, we are rocking out at KCD Toronto representing Edera. Come stop by our booth and talk GPU isolation with our expert Surbhi Kakarya or talk who the Leafs should hire next with me (happy to talk about isolating your Agentic AI too!)

The best conversations don't happen in session rooms. They happen after: over a drink, with someone you just met, in a room full of people who actually care about what gets built next. Edera and Minimus are hosting Sprout & Sip, a happy hour at Minneapolis' Flora Room during Cloud Native Computing Foundation (CNCF)'s Open Source Summit. Tuesday, May 19 | 6:30 – 8:30 PM CDT Heavy appetizers + beer, wine & cocktails on us. Come decompress, connect, and talk about the things that matter — the ideas, the hard problems, the work that doesn't always make it into a slide deck. Space is limited and first come, first served. Registration link in the comments.

Security is top of mind for every enterprise in New York right now — and it's woven through the entire KCD New York 2026 program. Not a single track. Not a checkbox. A thread that runs through tons of sessions on June 10 -- from the Linux kernel up to the API edge -- built specifically for the engineering teams carrying that weight. ━━ SESSIONS ━━ → Transparent by Design: Shipping Artifacts and Evidence for Supply Chain Security — Brandt Keller, Defense Unicorns → Zero Trust for APIs: From Edge to Mesh with Istio — Mofesola B. Babalola & Hannah Olukoye → Observing Kubernetes Policies with Kyverno and VictoriaMetrics — Diana Todea & Cortney Nickerson → From Dev Environment to Production Breach: Developer Access into Supply Chain Breaches — Dwayne McDaniel, GitGuardian → Life of a Packet in Istio Ambient — Steven Jin, Microsoft ━━ ROUNDTABLES (50 min, practitioner-only) ━━ → Software Supply Chain & Runtime Security — Miguel De Los Santos, Upwind Security → Linux Kernel Fundamentals for Kubernetes Users — Marina Moore, Edera ━━ LIGHTNING TALK ━━ → Untrusted Code & Autonomous Minds: Hardening AI Agent Runtimes on K8s — Victor S. Recio ━━ PANEL ━━ → When Domains Collide: AI, Security & FinOps Inside the Platform Engineering Stack | Fabrizio Sgura Dolis Sharma Alessandro Cannarella Marina Moore -- Supply chain. Zero trust. Runtime hardening. Policy enforcement. OWASP K8s. Istio ambient. AI agent security. All vendor-agnostic. All practitioner-led. See you June 10 · Convene One Liberty Plaza, Manhattan --- 💫 ⭐ Bringing your team? We offer group discounts for teams of 3 or more — reach out to new-york-org@kubernetescommunitydays.org to arrange a bundle rate before you register! #KCDNewYork #Kubernetes #CloudNative #KubernetesSecurity #SupplyChainSecurity #ZeroTrust #DevSecOps #EnterpriseIT #NYC