Skip to main content

OpenShift Container Platform CVE-2026-10533

| EUVDEUVD-2026-33641 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-01 secalert@redhat.com GHSA-x82c-vfjw-x245
5.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
Red Hat
5.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 15:36 vuln.today

DescriptionCVE.org

A flaw was found in OpenShift Container Platform. Completed pods with restartPolicy: Never do not count toward ResourceQuota pod limits, and Kubernetes events are not quota-scoped. A non-privileged user who can create pods in a namespace can exploit this to generate a large volume of events that accumulate in etcd, causing API server performance degradation across the cluster.

AnalysisAI

OpenShift Container Platform exposes a resource exhaustion path where low-privileged authenticated users with pod creation rights can trigger cluster-wide API server degradation by exploiting two quota enforcement gaps: completed pods with restartPolicy:Never are excluded from ResourceQuota pod limits, and Kubernetes events are not quota-scoped. By repeatedly creating such short-lived pods, an attacker causes Kubernetes events to accumulate unboundedly in etcd, degrading API server performance across the entire cluster - a scope change (CVSS S:C) that extends impact well beyond the attacker's own namespace. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

CWE-770 (Allocation of Resources Without Limits or Throttling) is the root cause class. OpenShift Container Platform, built on Kubernetes, enforces namespace-level resource quotas via ResourceQuota objects, but contains two enforcement gaps exploited by this vulnerability. First, pods configured with restartPolicy:Never that have completed are excluded from pod count calculations within ResourceQuota, allowing unlimited creation of such pods without triggering quota enforcement. Second, Kubernetes events - structured records of cluster state transitions such as pod scheduling, startup, and termination - are not subject to any quota scoping mechanism, meaning they accumulate in etcd without per-namespace limits. Etcd is the distributed key-value store that serves as the backing datastore for all Kubernetes API server state; unbounded growth of event records increases etcd memory and storage consumption, ultimately degrading API server throughput and latency cluster-wide. Red Hat (secalert@redhat.com) is the reporting organization. No CPE strings were provided in the available intelligence.

RemediationAI

No specific patched version number was available in the provided intelligence - the vendor fix version must be confirmed via the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-10533, which should be the primary remediation reference. Patch availability per vendor advisory should be assumed until confirmed otherwise. As compensating controls pending a patch: restrict pod creation RBAC permissions (the 'pods' 'create' verb) to only explicitly trusted users and service accounts within each namespace - note this may break legitimate developer workflows and requires careful scoping. Apply ResourceQuota objects that limit total event objects in high-risk namespaces where supported. Implement etcd size monitoring and API server latency alerting to detect exploitation attempts early and enable incident response before full degradation occurs. Review all namespace-level role bindings to audit which users currently hold pod creation rights across the cluster. The Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2483727 may contain additional workaround guidance from Red Hat engineers.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Vendor StatusVendor

Share

CVE-2026-10533 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy