CRE-2025-0026

AWS EBS CSI Driver fails to detach volume when VolumeAttachment has empty nodeNameLow

Impact: 6/10

Mitigation: 1/10

CRE-2025-0026View on GitHub

ebscsiAWSStoragePublic

Description

In clusters using the AWS EBS CSI driver, the controller may fail to detach a volume if the associated VolumeAttachment resource has an empty `spec.nodeName`. This results in a log error and skipped detachment, which may block PVC reuse or node cleanup.

Mitigation

- Upgrade to aws-ebs-csi-driver v1.26.1 or later. - Avoid deleting PVCs or terminating pods immediately after volume provisioning. - Monitor for detachment failures via controller logs.

References

• https://github.com/kubernetes-sigs/aws-ebs-csi-driver/issues/1447#issuecomment-1664682557
• https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1576
• https://github.com/kubernetes-sigs/aws-ebs-csi-driver/releases/tag/v1.26.1