Description
A flaw was found in OpenShift Container Platform. Completed pods with restartPolicy: Never do not count toward ResourceQuota pod limits, and Kubernetes events are not quota-scoped. A non-privileged user who can create pods in a namespace can exploit this to generate a large volume of events that accumulate in etcd, causing API server performance degradation across the cluster.
Published: 2026-06-01
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Completed pods that have a restartPolicy set to Never are not counted against the ResourceQuota pod limits, and Kubernetes events generated by those pods are not scoped to any quota. This flaw, classified as a resource exhaustion weakness (CWE‑770), allows a user with permission to create pods to intentionally submit a large volume of such pods, leading to an accumulation of events in the cluster’s etcd store and causing observable degradation of the API server’s performance.

Affected Systems

The vulnerability affects Red Hat OpenShift Container Platform 4. No specific version range is listed, so all current releases of this platform are potentially impacted.

Risk and Exploitability

The CVSS score of 5 indicates a medium severity, and the EPSS score is not available. It is not listed in the CISA KEV catalog. The likely attack vector is any non‑privileged user who can create pods in a namespace; by repeatedly creating pods with restartPolicy Never, an attacker can flood etcd with events, resulting in cluster‑wide API degradation. The risk is moderate, driven primarily by the ability to consume cluster resources and degrade services, and it requires only the ability to create pods, which is a common permission for many users.

Generated by OpenCVE AI on June 1, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Configure ResourceQuota objects to correctly enforce pod limits for all restartPolicies, ensuring that pods with restartPolicy Never are counted.
  • Enable or tighten event rate limiting on the kube‑apiserver to prevent excessive event generation.
  • Restrict pod creation permissions to trusted roles and consider revoking permissions from non‑privileged users until a vendor patch is available.

Generated by OpenCVE AI on June 1, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Container Platform
Vendors & Products Redhat openshift Container Platform

Tue, 02 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in OpenShift Container Platform. Completed pods with restartPolicy: Never do not count toward ResourceQuota pod limits, and Kubernetes events are not quota-scoped. A non-privileged user who can create pods in a namespace can exploit this to generate a large volume of events that accumulate in etcd, causing API server performance degradation across the cluster.
Title Openshift: openshift: non-admin user can bypass resourcequota and flood etcd with events causing cluster-wide api degradation
First Time appeared Redhat
Redhat openshift
Weaknesses CWE-770
CPEs cpe:/a:redhat:openshift:4
Vendors & Products Redhat
Redhat openshift
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L'}

Subscriptions

Redhat Openshift Openshift Container Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-02T13:39:19.525Z

Reserved: 2026-06-01T11:32:36.795Z

Link: CVE-2026-10533

cve-icon Vulnrichment

Updated: 2026-06-02T13:38:59.359Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-01T15:16:33.443

Modified: 2026-06-01T16:57:45.130

Link: CVE-2026-10533

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:15:16Z

Weaknesses