CVE-2026-44247
Received Received - Intake
Memory Exhaustion in Volcano Kubernetes Webhook Server

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially causing the webhook server to be killed by OOM. All Volcano deployments with the webhook server exposed to in-cluster traffic are affected. This vulnerability is fixed in v1.14.2, v1.13.3, and v1.12.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-44247
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
volcano volcano to 1.12.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade your Volcano deployment to one of the fixed versions: v1.14.2, v1.13.3, or v1.12.4.

Ensure that the webhook server is not exposed unnecessarily to in-cluster traffic, or implement network policies to restrict access to the webhook endpoint.


Can you explain this vulnerability to me?

The vulnerability exists in the Volcano Kubernetes-native batch scheduling system's webhook server. Before versions v1.14.2, v1.13.3, and v1.12.4, the webhook server did not enforce any size limit on incoming HTTP request bodies.

This means that any pod within the Kubernetes cluster that can access the webhook endpoint could send an arbitrarily large HTTP request body.

As a result, the webhook server could be overwhelmed by the large request, potentially causing it to run out of memory (OOM) and be killed.

This issue affects all Volcano deployments with the webhook server exposed to in-cluster traffic and is fixed in versions v1.14.2, v1.13.3, and v1.12.4.


How can this vulnerability impact me? :

This vulnerability can impact you by causing denial of service within your Kubernetes cluster.

Since the webhook server can be killed by running out of memory due to large request bodies, it may stop functioning properly.

This can disrupt batch scheduling operations managed by Volcano, potentially affecting workloads and services relying on it.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart