CVE-2026-44247
Analyzed Analyzed - Analysis Complete
Memory Exhaustion in Volcano Kubernetes Webhook Server

Publication date: 2026-05-27

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially causing the webhook server to be killed by OOM. All Volcano deployments with the webhook server exposed to in-cluster traffic are affected. This vulnerability is fixed in v1.14.2, v1.13.3, and v1.12.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-02
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44247
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linuxfoundation volcano to 1.12.4 (exc)
linuxfoundation volcano From 1.13.0 (inc) to 1.13.3 (exc)
linuxfoundation volcano From 1.14.0 (inc) to 1.14.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, upgrade your Volcano deployment to one of the fixed versions: v1.14.2, v1.13.3, or v1.12.4.

Ensure that the webhook server is not exposed unnecessarily to in-cluster traffic, or implement network policies to restrict access to the webhook endpoint.

Executive Summary

The vulnerability exists in the Volcano Kubernetes-native batch scheduling system's webhook server. Before versions v1.14.2, v1.13.3, and v1.12.4, the webhook server did not enforce any size limit on incoming HTTP request bodies.

This means that any pod within the Kubernetes cluster that can access the webhook endpoint could send an arbitrarily large HTTP request body.

As a result, the webhook server could be overwhelmed by the large request, potentially causing it to run out of memory (OOM) and be killed.

This issue affects all Volcano deployments with the webhook server exposed to in-cluster traffic and is fixed in versions v1.14.2, v1.13.3, and v1.12.4.

Impact Analysis

This vulnerability can impact you by causing denial of service within your Kubernetes cluster.

Since the webhook server can be killed by running out of memory due to large request bodies, it may stop functioning properly.

This can disrupt batch scheduling operations managed by Volcano, potentially affecting workloads and services relying on it.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44247. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart