CVE-2025-32777

Name of the Vulnerable Software and Affected Versions Volcano versions prior to 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2

Description The issue is related to a privilege escalation that can cause denial of service of the scheduler. If an attacker compromises either the Elastic service or the extender plugin, the scheduler will become unavailable to other users and workloads in the cluster. The scheduler will either crash with an unrecoverable OOM panic or freeze while consuming excessive amounts of memory. This is possible because Volcano users may run their Elastic service and extender plugins in separate pods or nodes from the scheduler, and node isolation is a security boundary in the Kubernetes security model.

Recommendations To resolve the issue, update to versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, or 1.12.0-alpha.2. As a temporary workaround, consider restricting access to the Elastic service and the extender plugin to minimize the risk of exploitation. Restrict access to the pods or nodes where the Elastic service and extender plugins are deployed to prevent an attacker from crossing the security boundary.