CVE-2026-44247

Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially causing the webhook server to be killed by OOM. All Volcano deployments with the webhook server exposed to in-cluster traffic are affected. This vulnerability is fixed in v1.14.2, v1.13.3, and v1.12.4.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 4.0

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/volcano-sh/volcano/security/advisories/GHSA-8wxp-xxp2-rcgx	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:linuxfoundation:volcano::::::kubernetes::*
	cpe:2.3:a:linuxfoundation:volcano::::::kubernetes::*
	cpe:2.3:a:linuxfoundation:volcano::::::kubernetes::*

History

02 Jun 2026, 17:25

Type	Values Removed	Values Added
References	~~() https://github.com/volcano-sh/volcano/security/advisories/GHSA-8wxp-xxp2-rcgx -~~	() https://github.com/volcano-sh/volcano/security/advisories/GHSA-8wxp-xxp2-rcgx - Vendor Advisory
First Time		Linuxfoundation Linuxfoundation volcano
CPE		cpe:2.3:a:linuxfoundation:volcano::::::kubernetes::*

27 May 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-27 22:16

Updated : 2026-06-02 17:25

NVD link : CVE-2026-44247

Mitre link : CVE-2026-44247

CVE.ORG link : CVE-2026-44247

JSON object : View

Products Affected

linuxfoundation

volcano

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2026-44247", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 2.8}]}, "published": "2026-05-27T22:16:35.507", "references": [{"url": "https://github.com/volcano-sh/volcano/security/advisories/GHSA-8wxp-xxp2-rcgx", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially causing the webhook server to be killed by OOM. All Volcano deployments with the webhook server exposed to in-cluster traffic are affected. This vulnerability is fixed in v1.14.2, v1.13.3, and v1.12.4."}], "lastModified": "2026-06-02T17:25:43.560", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:volcano:*:*:*:*:*:kubernetes:*:*", "vulnerable": true, "matchCriteriaId": "7103931B-CC42-4ECD-8127-A89315C118B0", "versionEndExcluding": "1.12.4"}, {"criteria": "cpe:2.3:a:linuxfoundation:volcano:*:*:*:*:*:kubernetes:*:*", "vulnerable": true, "matchCriteriaId": "612FD87D-65A3-4AC8-8748-152EE2AD2841", "versionEndExcluding": "1.13.3", "versionStartIncluding": "1.13.0"}, {"criteria": "cpe:2.3:a:linuxfoundation:volcano:*:*:*:*:*:kubernetes:*:*", "vulnerable": true, "matchCriteriaId": "59983915-4C18-48E5-B64E-219529C9E90E", "versionEndExcluding": "1.14.2", "versionStartIncluding": "1.14.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}