Volcano
v1.13.3Orchestration & Managementv1.13.3 patches a DoS vulnerability in the webhook server (CVE-2026-44247) plus four scheduler bug fixes. Upgrade immediately if running v1.13.2 or earlier.
securityPatch CVE-2026-44247 immediately — all v1.13.x ≤ v1.13.2 are vulnerable
Any pod with network access to the Volcano webhook endpoint can send an arbitrarily large HTTP body and OOM-kill the webhook server, blocking all admission for jobs and queues. CVSS 6.8 (Moderate) but the blast radius is high in multi-tenant clusters. Upgrade to v1.13.3 (or v1.12.4 / v1.14.2 depending on your branch). If you can't upgrade immediately, restrict network access to the webhook service via NetworkPolicy to limit who can reach port 443 on the webhook server.
breakingMulti-queue preemption behavior changes — validate workloads after upgrade
Two preemption fixes alter scheduling decisions: preemptorTasks no longer get overwritten across queues, and QueueOrderFn is now enforced during preemption. If you rely on specific preemption outcomes in multi-queue setups, run a staging environment validation after upgrading. Jobs that were previously preempting others may no longer do so, or vice versa, depending on your queue priority configuration.
enhancementScheduler startup race eliminated — relevant for frequent restarts
The fix ensuring event handlers complete before scheduling starts matters most in environments where the scheduler pod restarts frequently (e.g., OOM restarts, rolling updates). Previously, a narrow race window could cause the scheduler to miss events. No config change needed — just upgrade and monitor scheduler logs at startup for any anomalies.
Key changes (5)
- CVE-2026-44247 fixed: unbounded HTTP request body in webhook server could trigger OOM kill, enabling DoS by any pod with network access to the webhook endpoint
- Scheduler fix: preemptorTasks map overwrite in multi-queue preemption scenarios now prevented, avoiding incorrect preemption decisions
- Scheduler fix: QueueOrderFn now respected during preempt action, ensuring queue priority ordering is honored consistently
- Startup race fixed: event handlers now fully complete initialization before scheduling begins
- Unnecessary deepcopy removed from snapshot path, reducing memory allocation overhead