Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of-range sh_link field. When root-level dtrace attaches to -- or instruments -- that process (via dtrace -p , pid probes, or USDT), the ELF parser reads heap memory beyond the allocated section cache array without any bounds check. This results in an uninitialized/out-of-bounds heap read that can cause a NULL pointer dereference crash of the dtrace process (DoS), or -- depending on heap layout -- a read-then-use of a garbage pointer controlled by adjacent allocations, providing a foothold toward further exploitation in a privileged context.
Articles & Coverage 1
AnalysisAI
DTrace kernel instrumentation tool on Linux is vulnerable to a denial-of-service and potential privilege escalation attack when processing malicious ELF binaries with out-of-range sh_link fields. An unprivileged attacker can craft an ELF binary that, when instrumented by a root-level dtrace process, triggers an out-of-bounds heap read in the ELF parser. This can crash the dtrace daemon (DoS) or, depending on heap layout, lead to reading and dereferencing garbage pointers controlled by the attacker, potentially enabling code execution in a privileged context. The vulnerability requires local access and a privileged dtrace instance to be actively instrumentation the malicious process, but carries significant risk given dtrace's typical deployment in system administration and security monitoring contexts.
Technical ContextAI
The vulnerability exists in DTrace's user-space ELF binary parser, which reads section header link fields (sh_link) from ELF object files without validating bounds against the section header table size. When dtrace attaches to a process via the -p option, pid probes, or USDT (Userland Statically Defined Tracing) markers, it parses the target process's ELF binary to understand instrumentation points. A crafted sh_link value pointing beyond the allocated section cache array causes the parser to read uninitialized or attacker-controlled heap memory. This is a classic out-of-bounds read flaw (CWE-125 class), compounded by potential use-after-free or type confusion if the read garbage value is subsequently dereferenced as a pointer. DTrace operates with the privileges of the user invoking it; when run as root (a common deployment scenario for system tracing), the process runs in a privileged context, making heap corruption in the dtrace daemon itself a privilege-escalation vector.
RemediationAI
Patch availability is not confirmed in the provided data; users should immediately check the Oracle Linux security advisory (https://linux.oracle.com/cve/CVE-2026-35233.html) for a published fix version and apply it to dtrace and related userspace tools. If a vendor patch is unavailable, the following mitigations reduce risk: (1) Restrict dtrace usage to trusted administrators only by removing SUID bits or limiting /dev/dtrace device access to a specific group, accepting the trade-off that system-level performance analysis becomes unavailable to unprivileged users. (2) Deploy dtrace in a containerized or sandboxed environment (e.g., systemd-nspawn, podman) with limited kernel capabilities, reducing the blast radius if the dtrace daemon is compromised. (3) Monitor dtrace process crashes (exit code 139 or segmentation faults) in system logs; frequent crashes when profiling untrusted processes may indicate active exploit attempts. (4) Disable or restrict USDT probes and pid-based tracing if not actively required for monitoring, reducing the attack surface for path triggering the ELF parser.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26702