RATATOSKRATATOSK
Sign in

KubeVirt

v1.8.4Orchestration & Management
Jun 17, 2026

KubeVirt v1.8.4 is a patch release fixing a gRPC connection leak in virt-handler that caused memory growth, patching CVE-2026-35469 in spdystream, and adding missing metrics/alerts.

  • securityPatch CVE-2026-35469 by upgrading to v1.8.4

    The moby/spdystream dependency carried CVE-2026-35469 (GHSA-pc3f-x583-g7j2). If you're on any v1.8.x release before v1.8.4, upgrade now. Check your internal scanner results for this CVE to confirm exposure before and after the upgrade.

  • breakinggRPC connection leak fix may change virt-handler resource footprint

    The connection leak in GetLauncherClient caused unbounded memory and goroutine growth when multiple controllers raced on the same VMI. After upgrading, virt-handler memory usage should drop noticeably in clusters with high VMI churn. If you have memory-based alerts or resource limits tuned to the leaked baseline, revisit those thresholds post-upgrade.

  • enhancementNew metrics and alerts for virt components — update dashboards

    Missing metrics, recording rules, and alerts were added for virt components. Review what's new against your existing Prometheus/Alertmanager setup and add any new alerts to your runbooks. This is a good time to audit alert coverage gaps you may have been living with.

Key changes (4)

  • CVE-2026-35469: moby/spdystream bumped from v0.5.0 to v0.5.1 to address GHSA-pc3f-x583-g7j2
  • Fixed gRPC connection leak in virt-handler's GetLauncherClient — caused unbounded memory growth, socket accumulation, and goroutine leaks under controller races
  • Added missing metrics, recording rules, and alerts for virt components
  • Node-labeller now uses --expand-cpu-features and --supported-cpu-features flags