Skip to main content

DTrace CVE-2026-35233

| EUVDEUVD-2026-26702 MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-01 secalert_us@oracle.com
4.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
May 01, 2026 - 18:30 vuln.today
EUVD ID Assigned
May 01, 2026 - 18:22 euvd
EUVD-2026-26702
Analysis Generated
May 01, 2026 - 18:22 vuln.today
CVE Published
May 01, 2026 - 18:16 nvd
MEDIUM 4.4

DescriptionCVE.org

An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of-range sh_link field. When root-level dtrace attaches to -- or instruments -- that process (via dtrace -p , pid probes, or USDT), the ELF parser reads heap memory beyond the allocated section cache array without any bounds check. This results in an uninitialized/out-of-bounds heap read that can cause a NULL pointer dereference crash of the dtrace process (DoS), or -- depending on heap layout -- a read-then-use of a garbage pointer controlled by adjacent allocations, providing a foothold toward further exploitation in a privileged context.

AnalysisAI

DTrace kernel instrumentation tool on Linux is vulnerable to a denial-of-service and potential privilege escalation attack when processing malicious ELF binaries with out-of-range sh_link fields. An unprivileged attacker can craft an ELF binary that, when instrumented by a root-level dtrace process, triggers an out-of-bounds heap read in the ELF parser. This can crash the dtrace daemon (DoS) or, depending on heap layout, lead to reading and dereferencing garbage pointers controlled by the attacker, potentially enabling code execution in a privileged context. The vulnerability requires local access and a privileged dtrace instance to be actively instrumentation the malicious process, but carries significant risk given dtrace's typical deployment in system administration and security monitoring contexts.

Technical ContextAI

The vulnerability exists in DTrace's user-space ELF binary parser, which reads section header link fields (sh_link) from ELF object files without validating bounds against the section header table size. When dtrace attaches to a process via the -p option, pid probes, or USDT (Userland Statically Defined Tracing) markers, it parses the target process's ELF binary to understand instrumentation points. A crafted sh_link value pointing beyond the allocated section cache array causes the parser to read uninitialized or attacker-controlled heap memory. This is a classic out-of-bounds read flaw (CWE-125 class), compounded by potential use-after-free or type confusion if the read garbage value is subsequently dereferenced as a pointer. DTrace operates with the privileges of the user invoking it; when run as root (a common deployment scenario for system tracing), the process runs in a privileged context, making heap corruption in the dtrace daemon itself a privilege-escalation vector.

RemediationAI

Patch availability is not confirmed in the provided data; users should immediately check the Oracle Linux security advisory (https://linux.oracle.com/cve/CVE-2026-35233.html) for a published fix version and apply it to dtrace and related userspace tools. If a vendor patch is unavailable, the following mitigations reduce risk: (1) Restrict dtrace usage to trusted administrators only by removing SUID bits or limiting /dev/dtrace device access to a specific group, accepting the trade-off that system-level performance analysis becomes unavailable to unprivileged users. (2) Deploy dtrace in a containerized or sandboxed environment (e.g., systemd-nspawn, podman) with limited kernel capabilities, reducing the blast radius if the dtrace daemon is compromised. (3) Monitor dtrace process crashes (exit code 139 or segmentation faults) in system logs; frequent crashes when profiling untrusted processes may indicate active exploit attempts. (4) Disable or restrict USDT probes and pid-based tracing if not actively required for monitoring, reducing the attack surface for path triggering the ELF parser.

Share

CVE-2026-35233 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy