KubeVirt v1.8.4 is a patch release fixing a gRPC connection leak in virt-handler that caused memory growth, patching CVE-2026-35469 in spdystream, and adding missing metrics/alerts.
securityPatch CVE-2026-35469 by upgrading to v1.8.4
The moby/spdystream dependency carried CVE-2026-35469 (GHSA-pc3f-x583-g7j2). If you're on any v1.8.x release before v1.8.4, upgrade now. Check your internal scanner results for this CVE to confirm exposure before and after the upgrade.
breakinggRPC connection leak fix may change virt-handler resource footprint
The connection leak in GetLauncherClient caused unbounded memory and goroutine growth when multiple controllers raced on the same VMI. After upgrading, virt-handler memory usage should drop noticeably in clusters with high VMI churn. If you have memory-based alerts or resource limits tuned to the leaked baseline, revisit those thresholds post-upgrade.
enhancementNew metrics and alerts for virt components — update dashboards
Missing metrics, recording rules, and alerts were added for virt components. Review what's new against your existing Prometheus/Alertmanager setup and add any new alerts to your runbooks. This is a good time to audit alert coverage gaps you may have been living with.
主な変更 (4)
- CVE-2026-35469: moby/spdystream bumped from v0.5.0 to v0.5.1 to address GHSA-pc3f-x583-g7j2
- Fixed gRPC connection leak in virt-handler's GetLauncherClient — caused unbounded memory growth, socket accumulation, and goroutine leaks under controller races
- Added missing metrics, recording rules, and alerts for virt components
- Node-labeller now uses --expand-cpu-features and --supported-cpu-features flags