Skip to main content

CVE-2026-21991

| EUVDEUVD-2026-12522 MEDIUM
Path Traversal (CWE-22)
2026-03-16 secalert_us@oracle.com
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 17, 2026 - 20:45 euvd
EUVD-2026-12522
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
CVE Published
Mar 16, 2026 - 22:16 nvd
MEDIUM 5.5

DescriptionCVE.org

A DTrace component, dtprobed, allows arbitrary file creation through crafted USDT provider names.

AnalysisAI

The DTrace dtprobed component contains a path traversal vulnerability (CWE-22) that allows local attackers with limited privileges to create arbitrary files on the system by supplying crafted USDT provider names. This vulnerability affects Oracle Linux 8, 9, and 10, and while it carries a CVSS score of 5.5, the EPSS score of 0.01% (percentile 2%) indicates very low exploitation probability in the wild, with no evidence of active exploitation or public proof-of-concept code.

Technical ContextAI

DTrace is a dynamic tracing framework included in Unix-like systems that allows real-time analysis of system and application behavior. The dtprobed daemon is a DTrace component that processes User Statically Defined Tracing (USDT) provider definitions. The vulnerability stems from insufficient input validation on USDT provider names, which are passed unsanitized to file creation operations, enabling a classic path traversal attack (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). An attacker can inject directory traversal sequences (e.g., '../') into provider names to write files outside the intended DTrace working directory, potentially to sensitive locations like system configuration or library directories.

RemediationAI

Apply the security update from Oracle that patches the dtprobed component for Oracle Linux 8, 9, and 10; exact version numbers should be obtained from https://linux.oracle.com/cve/CVE-2026-21991.html. Until patches are applied, mitigate by restricting access to the dtprobed daemon through file system permissions (ensure only privileged users can invoke DTrace), disabling USDT provider registration if not required for operations, and monitoring file creation in sensitive directories (e.g., /etc, /usr/lib) for suspicious activity. Given the low EPSS score, patching can be scheduled during regular maintenance windows rather than as an emergency out-of-band update.

Share

CVE-2026-21991 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy