Vulnerability in Volcano Kubernetes Batch Scheduling System by Volcano Labs
CVE-2026-44247

6.8MEDIUM

Key Information:

Vendor: Volcano-sh
Status: Volcano
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-44247?

A significant vulnerability exists in the Volcano batch scheduling system, which is embedded within Kubernetes. Prior versions of the software, specifically versions prior to v1.14.2, v1.13.3, and v1.12.4, allow any in-cluster pod to send excessively large HTTP request bodies to the webhook server. This lack of enforced size limitations can lead to server instability, potentially causing the webhook server to crash due to out-of-memory (OOM) conditions. Users should upgrade to the latest versions to mitigate this risk and ensure system stability.

Affected Version(s)

volcano >= 1.14.0-alpha.0, < 1.14.2 < 1.14.0-alpha.0, 1.14.2

volcano >= 1.13.0, < 1.13.3 < 1.13.0, 1.13.3

volcano < 1.12.4 < 1.12.4

References

https://github.com/volcano-sh/volcano/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44247 Data

JSON

Volcano-sh

What is CVE-2026-44247?

Affected Version(s)

References

CVSS V3.1

Timeline