Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
A DTrace component, dtprobed, allows arbitrary file creation through crafted USDT provider names.
AnalysisAI
The DTrace dtprobed component contains a path traversal vulnerability (CWE-22) that allows local attackers with limited privileges to create arbitrary files on the system by supplying crafted USDT provider names. This vulnerability affects Oracle Linux 8, 9, and 10, and while it carries a CVSS score of 5.5, the EPSS score of 0.01% (percentile 2%) indicates very low exploitation probability in the wild, with no evidence of active exploitation or public proof-of-concept code.
Technical ContextAI
DTrace is a dynamic tracing framework included in Unix-like systems that allows real-time analysis of system and application behavior. The dtprobed daemon is a DTrace component that processes User Statically Defined Tracing (USDT) provider definitions. The vulnerability stems from insufficient input validation on USDT provider names, which are passed unsanitized to file creation operations, enabling a classic path traversal attack (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). An attacker can inject directory traversal sequences (e.g., '../') into provider names to write files outside the intended DTrace working directory, potentially to sensitive locations like system configuration or library directories.
RemediationAI
Apply the security update from Oracle that patches the dtprobed component for Oracle Linux 8, 9, and 10; exact version numbers should be obtained from https://linux.oracle.com/cve/CVE-2026-21991.html. Until patches are applied, mitigate by restricting access to the dtprobed daemon through file system permissions (ensure only privileged users can invoke DTrace), disabling USDT provider registration if not required for operations, and monitoring file creation in sensitive directories (e.g., /etc, /usr/lib) for suspicious activity. Given the low EPSS score, patching can be scheduled during regular maintenance windows rather than as an emergency out-of-band update.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12522