Qin Ping

**Name of the Vulnerable Software and Affected Versions** Kubernetes CSI snapshot-controller versions prior to 2.1.3 and 3.0.2 **Description** The issue occurs when the Kubernetes CSI snapshot-controller processes a VolumeSnapshot custom resource under specific conditions: the VolumeSnapshot references a non-existing PersistentVolumeClaim and does not reference any VolumeSnapshotClass. This causes the snapshot-controller to crash and, upon automatic restart by Kubernetes, enter an endless crash loop when processing the same VolumeSnapshot custom resource again. The vulnerability affects only the volume snapshot feature, preventing users from taking snapshots of their volumes or deleting existing snapshots. All other Kubernetes functionality remains unaffected. **Recommendations** For versions prior to 2.1.3, update to version 2.1.3 or later. For versions prior to 3.0.2, update to version 3.0.2 or later. As a temporary workaround, consider disabling the volume snapshot feature until a patch is available. Restrict access to the VolumeSnapshot custom resource to minimize the risk of exploitation.