Strix
26.1K

CVE-2026-44247

HIGHCVSS 7.4/10EPSS 0.17%

Last modified

CVE-2026-44247 is a high-severity vulnerability rated 7.4/10 on the CVSS scale. Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. EPSS estimates a 0.17% chance of exploitation in the next 30 days.

Description

Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially causing the webhook server to be killed by OOM. All Volcano deployments with the webhook server exposed to in-cluster traffic are affected. This vulnerability is fixed in v1.14.2, v1.13.3, and v1.12.4.

Metrics

CVSS 3.1
7.4/10

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Probability
0.17%

7.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
LinuxfoundationVolcano< 1.12.4
LinuxfoundationVolcano>= 1.13.0, < 1.13.3
LinuxfoundationVolcano>= 1.14.0, < 1.14.2

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2026-44247?
Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially causing the webhook server to be killed by OOM. All Volcano deployments with the webhook server exposed to in-cluster traffic are affected. This vulnerability is fixed in v1.14.2, v1.13.3, and v1.12.4.
How severe is CVE-2026-44247?
CVE-2026-44247 has a CVSS score of 7.4/10 (HIGH severity). The EPSS model estimates a 0.17% probability of exploitation in the next 30 days.
How do I fix CVE-2026-44247?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-44247?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST