VolSync v0.13 is a Kubernetes operator enabling asynchronous replication of persistent volumes within or across clusters. Red Hat Product Security issued an advisory (RHSA-2026:2351) for security fixes and container updates addressing three CVEs: CVE-2025-47907, CVE-2025-58183, and CVE-2025-65637. These vulnerabilities are associated with concurrency issues (CWE-362), improper resource exhaustion (CWE-770), and uncontrolled resource consumption (CWE-400). The update to VolSync v0.13.2 includes patches that resolve these issues and provide updated container images. The advisory rates the security impact as moderate and no known exploits have been reported. The affected products include Red Hat Advanced Cluster Management for Kubernetes 2.14 and related container images on amd64 and other architectures.

The vulnerabilities in VolSync v0.13 could allow an attacker to cause resource exhaustion or concurrency-related issues affecting the replication of persistent volumes in Kubernetes clusters. This may impact the availability or reliability of persistent data replication. The overall security impact is rated as moderate by Red Hat Product Security. There are no known exploits in the wild at this time.

Red Hat has released VolSync v0.13.2 which includes security fixes and updated container images addressing the identified vulnerabilities. Users should upgrade to this version to mitigate the issues. The vendor advisory (RHSA-2026:2351) provides detailed information and updated images. Since this is not a cloud service, remediation requires applying the updated software. Patch status is confirmed by the vendor advisory. No additional mitigation steps are indicated beyond applying the update.