CVE-2026-35233: Oracle Linux DTrace DoS Vulnerability

CVE-2026-35233 Overview

CVE-2026-35233 is an out-of-bounds read vulnerability [CWE-125] affecting the dtrace ELF parser on Oracle Linux. An unprivileged local attacker can craft a user-space process containing a malicious ELF binary with an out-of-range sh_link field. When a root-level dtrace instance attaches to or instruments that process through dtrace -p, pid probes, or User Statically Defined Tracing (USDT), the parser reads heap memory beyond the allocated section cache array without bounds checking. The resulting condition causes either a NULL pointer dereference crash of the privileged dtrace process or a read-then-use of an attacker-influenced garbage pointer.

Critical Impact

A low-privileged local user can crash the privileged dtrace process or potentially gain a foothold for further exploitation in a root context by manipulating adjacent heap allocations.

Affected Products

• Oracle Linux 8
• Oracle Linux 9
• Oracle Linux 10

Discovery Timeline

• 2026-05-01 - CVE-2026-35233 published to NVD
• 2026-05-05 - Last updated in NVD database

Technical Details for CVE-2026-35233

Vulnerability Analysis

The flaw resides in the ELF parsing logic used by dtrace when it attaches to a target process for instrumentation. During section header processing, the parser uses the sh_link field from the ELF section header as an index into an internal section cache array. The implementation does not validate that sh_link falls within the allocated bounds of this array before dereferencing it.

When dtrace runs with root privileges and attaches to an attacker-controlled process via dtrace -p <pid>, pid probes, or USDT tracepoints, the parser reads adjacent heap memory. Depending on heap layout, the read returns either uninitialized data leading to a NULL pointer dereference, or a valid-looking pointer controlled by neighboring allocations that the parser then dereferences in a privileged context.

Root Cause

The root cause is missing bounds validation on the sh_link field prior to using it as an array index in the section cache lookup. The ELF specification permits sh_link to hold arbitrary 32-bit values, and the parser trusts the supplied value without comparing it against the allocated cache size. This violates standard input validation requirements for parsing untrusted file formats.

Attack Vector

Exploitation requires local access and the ability to execute a process under the attacker's control. The attacker compiles or modifies an ELF binary so that one of its section headers contains an out-of-range sh_link value, then launches the binary as a normal user process. When an administrator subsequently runs dtrace against that process, the privileged parser triggers the out-of-bounds read. The vulnerability cannot be self-triggered without the privileged dtrace invocation, which limits direct attacker control over timing.

No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Oracle CVE-2026-35233 Advisory for vendor-specific technical detail.

Detection Methods for CVE-2026-35233

Indicators of Compromise

• Unexpected crashes or segmentation faults of the dtrace process when attaching to user processes via -p, pid probes, or USDT.
• Core dumps from dtrace showing faults inside ELF section header parsing routines.
• Unprivileged users running custom or modified ELF binaries shortly before dtrace instability.

Detection Strategies

• Monitor the kernel audit log and systemd-coredump for dtrace process terminations on Oracle Linux 8, 9, and 10 hosts.
• Inspect ELF binaries executed by non-root users for malformed section headers, specifically sh_link values exceeding the section header count.
• Correlate process execution telemetry with subsequent dtrace invocations targeting the same PID.

Monitoring Recommendations

• Alert on repeated dtrace crashes across endpoints, which may indicate probing for exploitation primitives.
• Track usage of dtrace -p against processes owned by non-administrative users.
• Baseline normal dtrace activity to surface anomalous instrumentation patterns from operations or monitoring tooling.

How to Mitigate CVE-2026-35233

Immediate Actions Required

• Apply the Oracle Linux security update for dtrace referenced in the Oracle CVE-2026-35233 Advisory on all affected Oracle Linux 8, 9, and 10 systems.
• Restrict dtrace usage to trusted administrators and avoid attaching dtrace to processes owned by untrusted local users until patched.
• Audit which users have shell access to systems where dtrace is routinely executed.

Patch Information

Oracle has published advisory information for CVE-2026-35233 covering Oracle Linux 8, 9, and 10. Administrators should install updated dtrace packages through dnf update or yum update and verify the installed version against the vendor advisory before re-enabling instrumentation workflows.

Workarounds

• Avoid running dtrace -p, pid probes, or USDT instrumentation against processes launched by unprivileged or untrusted users until the patch is deployed.
• Limit dtrace execution to a controlled set of administrative accounts using sudo policies.
• Where instrumentation is required, restrict targets to binaries from trusted package sources and verify ELF integrity before attaching.