CVE-2026-10533: Allocation of Resources Without Limits or Throttling in Red Hat Red Hat OpenShift Container Platform 4
A flaw was found in OpenShift Container Platform. Completed pods with restartPolicy: Never do not count toward ResourceQuota pod limits, and Kubernetes events are not quota-scoped. A non-privileged user who can create pods in a namespace can exploit this to generate a large volume of events that accumulate in etcd, causing API server performance degradation across the cluster.
AI Analysis
Technical Summary
The vulnerability in Red Hat OpenShift Container Platform 4 involves improper resource quota enforcement for completed pods with restartPolicy: Never and unscoped Kubernetes events. Because these pods do not count against ResourceQuota pod limits and events are not quota-scoped, a non-privileged user can create many pods that generate excessive events. These events accumulate in etcd, the Kubernetes backing store, causing performance degradation of the API server cluster-wide. This is a denial-of-service type issue impacting availability but does not affect confidentiality or integrity.
Potential Impact
The impact is limited to availability degradation of the OpenShift API server due to resource exhaustion in etcd from excessive Kubernetes events generated by completed pods not counted against quotas. There is no impact on confidentiality or integrity. The vulnerability requires a non-privileged user to have pod creation rights in a namespace. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-10533 for current remediation guidance. Until an official fix is available, consider restricting pod creation permissions to trusted users and monitor for unusual event volume. No vendor advisory states that the issue is already mitigated or requires no action.
CVE-2026-10533: Allocation of Resources Without Limits or Throttling in Red Hat Red Hat OpenShift Container Platform 4
Description
A flaw was found in OpenShift Container Platform. Completed pods with restartPolicy: Never do not count toward ResourceQuota pod limits, and Kubernetes events are not quota-scoped. A non-privileged user who can create pods in a namespace can exploit this to generate a large volume of events that accumulate in etcd, causing API server performance degradation across the cluster.
CVSS v3.1
Score 5.0medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Red Hat OpenShift Container Platform 4 involves improper resource quota enforcement for completed pods with restartPolicy: Never and unscoped Kubernetes events. Because these pods do not count against ResourceQuota pod limits and events are not quota-scoped, a non-privileged user can create many pods that generate excessive events. These events accumulate in etcd, the Kubernetes backing store, causing performance degradation of the API server cluster-wide. This is a denial-of-service type issue impacting availability but does not affect confidentiality or integrity.
Potential Impact
The impact is limited to availability degradation of the OpenShift API server due to resource exhaustion in etcd from excessive Kubernetes events generated by completed pods not counted against quotas. There is no impact on confidentiality or integrity. The vulnerability requires a non-privileged user to have pod creation rights in a namespace. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-10533 for current remediation guidance. Until an official fix is available, consider restricting pod creation permissions to trusted users and monitor for unusual event volume. No vendor advisory states that the issue is already mitigated or requires no action.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-06-01T11:32:36.795Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-10533","vendor":"Red Hat"}]
Threat ID: 6a1d9f52e29bf47b5008b348
Added to database: 6/1/2026, 3:03:46 PM
Last enriched: 6/1/2026, 3:34:41 PM
Last updated: 6/2/2026, 4:57:09 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.