Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in OpenShift Container Platform. Completed pods with restartPolicy: Never do not count toward ResourceQuota pod limits, and Kubernetes events are not quota-scoped. A non-privileged user who can create pods in a namespace can exploit this to generate a large volume of events that accumulate in etcd, causing API server performance degradation across the cluster.
AnalysisAI
OpenShift Container Platform exposes a resource exhaustion path where low-privileged authenticated users with pod creation rights can trigger cluster-wide API server degradation by exploiting two quota enforcement gaps: completed pods with restartPolicy:Never are excluded from ResourceQuota pod limits, and Kubernetes events are not quota-scoped. By repeatedly creating such short-lived pods, an attacker causes Kubernetes events to accumulate unboundedly in etcd, degrading API server performance across the entire cluster - a scope change (CVSS S:C) that extends impact well beyond the attacker's own namespace. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
CWE-770 (Allocation of Resources Without Limits or Throttling) is the root cause class. OpenShift Container Platform, built on Kubernetes, enforces namespace-level resource quotas via ResourceQuota objects, but contains two enforcement gaps exploited by this vulnerability. First, pods configured with restartPolicy:Never that have completed are excluded from pod count calculations within ResourceQuota, allowing unlimited creation of such pods without triggering quota enforcement. Second, Kubernetes events - structured records of cluster state transitions such as pod scheduling, startup, and termination - are not subject to any quota scoping mechanism, meaning they accumulate in etcd without per-namespace limits. Etcd is the distributed key-value store that serves as the backing datastore for all Kubernetes API server state; unbounded growth of event records increases etcd memory and storage consumption, ultimately degrading API server throughput and latency cluster-wide. Red Hat (secalert@redhat.com) is the reporting organization. No CPE strings were provided in the available intelligence.
RemediationAI
No specific patched version number was available in the provided intelligence - the vendor fix version must be confirmed via the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-10533, which should be the primary remediation reference. Patch availability per vendor advisory should be assumed until confirmed otherwise. As compensating controls pending a patch: restrict pod creation RBAC permissions (the 'pods' 'create' verb) to only explicitly trusted users and service accounts within each namespace - note this may break legitimate developer workflows and requires careful scoping. Apply ResourceQuota objects that limit total event objects in high-risk namespaces where supported. Implement etcd size monitoring and API server latency alerting to detect exploitation attempts early and enable incident response before full degradation occurs. Review all namespace-level role bindings to audit which users currently hold pod creation rights across the cluster. The Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2483727 may contain additional workaround guidance from Red Hat engineers.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33641
GHSA-x82c-vfjw-x245