PatchSiren cyber security CVE debrief
CVE-2026-10533 Red Hat CVE debrief
A flaw in OpenShift Container Platform allows non-privileged users to degrade cluster-wide API server performance by exploiting a gap between pod lifecycle behavior and ResourceQuota enforcement. Completed pods configured with restartPolicy: Never are not counted toward ResourceQuota pod limits, and Kubernetes events are not subject to quota scoping. A user with pod creation permissions in a namespace can generate a large volume of events that accumulate in etcd, causing API server performance degradation across the cluster. The vulnerability was published on 2026-06-01 with a CVSS 3.1 score of 5.0 (MEDIUM). The weakness is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). Vendor attribution points to Red Hat based on reference domain evidence, though confidence is low and review is needed.
- Vendor
- Red Hat
- Product
- Red Hat OpenShift Container Platform 4
- CVSS
- MEDIUM 5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
OpenShift cluster administrators, platform engineering teams, DevOps engineers managing multi-tenant Kubernetes environments, and security teams responsible for namespace isolation and resource governance
Technical summary
The vulnerability stems from two interacting Kubernetes behaviors in OpenShift Container Platform. First, pods with restartPolicy: Never that reach a completed state are excluded from ResourceQuota pod count calculations, allowing unlimited completed pod accumulation within a namespace. Second, Kubernetes events are not scoped by ResourceQuota, meaning event generation is not throttled by quota mechanisms. A non-privileged user with pod creation rights can repeatedly create pods that generate events, causing unbounded etcd growth. Since etcd is the backing store for the Kubernetes API server, this accumulation degrades API server performance cluster-wide. The attack requires low privileges (pod creation in a namespace) and has changed scope (S:C) indicating impact beyond the vulnerable component. No confidentiality or integrity impact is assigned; only availability is affected at low severity.
Defensive priority
medium
Recommended defensive actions
- Audit ResourceQuota configurations in all namespaces to verify pod count limits are enforced as expected
- Monitor etcd size and API server latency metrics for anomalous growth patterns
- Review pod creation permissions and apply principle of least privilege for namespace-level users
- Investigate whether admission controllers or custom policies can enforce event rate limiting or event quota scoping
- Track Red Hat Bugzilla 2483727 for official patches and advisory updates
- Consider temporary mitigations such as event retention policies or etcd compaction schedules to limit accumulation impact
Evidence notes
CVE description states the flaw exists in OpenShift Container Platform. CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L confirms network attack vector, low attack complexity, low privileges required, no user interaction, changed scope, and low availability impact. Weakness source [email protected] identifies CWE-770. References include Red Hat Security CVE page and Bugzilla bug 2483727.
Official resources
2026-06-01