Description
An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of-range sh_link field. When root-level dtrace attaches to -- or instruments -- that process (via dtrace -p , pid probes, or USDT), the ELF parser reads heap memory beyond the allocated section cache array without any bounds check. This results in an uninitialized/out-of-bounds heap read that can cause a NULL pointer dereference crash of the dtrace process (DoS), or -- depending on heap layout -- a read-then-use of a garbage pointer controlled by adjacent allocations, providing a foothold toward further exploitation in a privileged context.
Published: 2026-05-01
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can create a malicious ELF binary that contains a sh_link value beyond the valid range of the section header table. When a root‑level dtrace instance attaches to this process using traditional or user‑specified probes, the ELF parser reads memory beyond the bounds of the section cache array without a bounds check. This uninitialized or out‑of‑bounds heap read may first trigger a NULL pointer dereference that crashes the dtrace process, causing a denial‑of‑service (DoS). Depending on the heap layout, the read may also return a pointer that is under the attacker’s control, giving the attacker a foothold for further exploitation while dtrace operates with elevated privileges.

Affected Systems

Oracle Linux installations that include the dtrace user‑space utility and have not received the patch addressing CVE‑2026‑35233 remain affected. No specific version range is listed. Administrators should verify if the proprietary kernel modules include this vulnerability.

Risk and Exploitability

The CVSS score of 4.4 indicates low to moderate severity. Because EPSS is not available, the global exploitation probability is unknown. The CVE is not listed in CISA KEV, implying no confirmed or widely reported exploitation. The attack vector requires a local unprivileged user to craft a malicious ELF binary and a privileged administrator to attach dtrace. In environments where dtrace is used extensively, repeated crashes could lead to a denial‑of‑service or, if an attacker can influence the resulting garbage pointer, a potential escalation path in a privileged context.

Generated by OpenCVE AI on May 2, 2026 at 06:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest Oracle Linux update that contains the dtrace ELF parser fix
  • If patching is delayed, restrict the use of dtrace for untrusted processes or disable it entirely in the environment
  • Apply SELinux or other mandatory access controls to prevent unprivileged users from attaching dtrace probes to arbitrary processes

Generated by OpenCVE AI on May 2, 2026 at 06:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 07:15:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds ELF Parsing in dtrace Causes Crash or Privilege Escalation

Fri, 01 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Oracle Corporation
Oracle Corporation oracle Linux
Vendors & Products Oracle Corporation
Oracle Corporation oracle Linux

Fri, 01 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of-range sh_link field. When root-level dtrace attaches to -- or instruments -- that process (via dtrace -p , pid probes, or USDT), the ELF parser reads heap memory beyond the allocated section cache array without any bounds check. This results in an uninitialized/out-of-bounds heap read that can cause a NULL pointer dereference crash of the dtrace process (DoS), or -- depending on heap layout -- a read-then-use of a garbage pointer controlled by adjacent allocations, providing a foothold toward further exploitation in a privileged context.
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Oracle Corporation Oracle Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-01T18:16:32.848Z

Reserved: 2026-04-01T20:03:40.833Z

Link: CVE-2026-35233

cve-icon Vulnrichment

Updated: 2026-05-01T18:16:28.686Z

cve-icon NVD

Status : Received

Published: 2026-05-01T18:16:14.647

Modified: 2026-05-01T19:16:30.120

Link: CVE-2026-35233

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:00:06Z

Weaknesses