Volcano
v1.12.4Orchestration & Managementv1.12.4 is a security patch release fixing a DoS vulnerability in the webhook server plus two scheduler correctness bugs. Upgrade immediately if running v1.12.3 or earlier.
securityPatch the webhook server OOM vulnerability now
CVE-2026-44247 lets any pod with network access to the webhook endpoint kill the webhook server by sending an oversized HTTP body, taking down admission control for the entire cluster. The CVSS scope is 'Changed', meaning the blast radius extends beyond the attacking pod. Any workload that can reach the webhook service is a potential attacker. Upgrade to v1.12.4 immediately. If you cannot upgrade right now, restrict network access to the webhook endpoint using NetworkPolicy to limit which pods or namespaces can reach it.
breakingMulti-queue preemption may have been silently producing wrong results
The preemptorTasks overwrite bug means clusters using multi-queue preemption could have been making incorrect scheduling decisions — lower-priority jobs potentially not being preempted correctly, or QueueOrderFn being ignored entirely. After upgrading, review preemption behavior in your queues. If you have queue ordering policies configured, verify they're now being applied as expected and check whether any jobs were stuck or incorrectly scheduled before the upgrade.
enhancementStartup race condition in the scheduler is resolved
The event handler completion fix addresses a subtle race where the scheduler could begin making decisions before all event handlers were ready. This was most likely to surface during controller restarts or rolling upgrades. No action required beyond upgrading, but if you've seen intermittent scheduling failures shortly after Volcano restarts, this is likely the cause.
Key changes (3)
- CVE-2026-44247: Webhook server vulnerable to OOM-based DoS via unbounded HTTP request body — CVSS 6.8 (Moderate)
- Scheduler fix: event handler now waits for completion before scheduling starts, preventing race conditions at startup
- Scheduler fix: preemptorTasks no longer overwritten during multi-queue preemption, QueueOrderFn is now properly honored