CVE-2026-10533

Vulnerability

OpenShift Container Platform contains a flaw where completed pods configured with restartPolicy: Never are not correctly accounted for within ResourceQuota pod limits. Because Kubernetes events are also not quota-scoped, this behavior allows pods that have finished execution to remain outside of standard resource constraints, creating a discrepancy between actual resource usage and enforced quotas [1].

Exploitation

An attacker with permissions to create pods within a namespace can exploit this by repeatedly creating and completing pods with restartPolicy: Never. By bypassing the ResourceQuota limits, the attacker can generate a high volume of Kubernetes events that accumulate within the etcd database, effectively flooding the system with unnecessary data [1].

Impact

The accumulation of excessive events in etcd leads to significant API server performance degradation. This impact is cluster-wide, potentially affecting the availability and responsiveness of the OpenShift control plane for all users and administrative operations [1].

Mitigation

Not yet disclosed in the available references. Users are advised to monitor the official Red Hat security advisory for updates regarding patches or configuration workarounds [1].