RATATOSKRATATOSK
Sign in

Volcano

v1.13.3Orchestration & Management
May 9, 2026

v1.13.3 patches a DoS vulnerability in the webhook server (CVE-2026-44247) plus four scheduler bug fixes. Upgrade immediately if running v1.13.2 or earlier.

  • securityPatch CVE-2026-44247 immediately — all v1.13.x ≤ v1.13.2 are vulnerable

    Any pod with network access to the Volcano webhook endpoint can send an arbitrarily large HTTP body and OOM-kill the webhook server, blocking all admission for jobs and queues. CVSS 6.8 (Moderate) but the blast radius is high in multi-tenant clusters. Upgrade to v1.13.3 (or v1.12.4 / v1.14.2 depending on your branch). If you can't upgrade immediately, restrict network access to the webhook service via NetworkPolicy to limit who can reach port 443 on the webhook server.

  • breakingMulti-queue preemption behavior changes — validate workloads after upgrade

    Two preemption fixes alter scheduling decisions: preemptorTasks no longer get overwritten across queues, and QueueOrderFn is now enforced during preemption. If you rely on specific preemption outcomes in multi-queue setups, run a staging environment validation after upgrading. Jobs that were previously preempting others may no longer do so, or vice versa, depending on your queue priority configuration.

  • enhancementScheduler startup race eliminated — relevant for frequent restarts

    The fix ensuring event handlers complete before scheduling starts matters most in environments where the scheduler pod restarts frequently (e.g., OOM restarts, rolling updates). Previously, a narrow race window could cause the scheduler to miss events. No config change needed — just upgrade and monitor scheduler logs at startup for any anomalies.

Key changes (5)

  • CVE-2026-44247 fixed: unbounded HTTP request body in webhook server could trigger OOM kill, enabling DoS by any pod with network access to the webhook endpoint
  • Scheduler fix: preemptorTasks map overwrite in multi-queue preemption scenarios now prevented, avoiding incorrect preemption decisions
  • Scheduler fix: QueueOrderFn now respected during preempt action, ensuring queue priority ordering is honored consistently
  • Startup race fixed: event handlers now fully complete initialization before scheduling begins
  • Unnecessary deepcopy removed from snapshot path, reducing memory allocation overhead