Which 4.y.z to 4.y'.z' updates increase vulnerability?

Any version to 4.18 versions lower than 4.18.13

Which types of clusters?

All clusters

What is the impact? Is it serious enough to warrant removing update recommendations?

cri-o fails to pull a v1 schema image whenever it contains a compressed layer for which an uncompressed version exists

• schema1 image
• compressed layer reference does not match, but we have a BlobInfoCache entry for the compressed digest recording an uncompressed digest, and a local layer matching the uncompressed digest exists in c/storage

Additionally, cri-o fails to run a container due to improper decoding of v1 schema. This is tracked in OCPBUGS-42844 and as of not yet fixed in OCP 4.18.

How involved is remediation?

No remediation available except updating to fixed OCP

Is this a regression?

Yes