{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21991", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-01-05T18:07:34.717Z", "datePublished": "2026-03-16T21:36:44.856Z", "dateUpdated": "2026-03-17T13:35:45.790Z"}, "containers": {"cna": {"affected": [{"product": "Oracle Linux", "vendor": "Oracle Corporation", "versions": [{"status": "affected", "version": "8"}, {"status": "affected", "version": "9"}, {"status": "affected", "version": "10"}]}], "descriptions": [{"lang": "en", "value": "A DTrace component, dtprobed, allows arbitrary file creation through crafted USDT provider names."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "A DTrace component, dtprobed, allows arbitrary file creation through crafted USDT provider names.", "lang": "en", "type": "text"}]}], "providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-03-16T21:36:44.856Z"}, "references": [{"name": "Oracle Advisory", "tags": ["vendor-advisory"], "url": "https://linux.oracle.com/cve/CVE-2026-21991.html"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T13:35:15.508371Z", "id": "CVE-2026-21991", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:35:45.790Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21991", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T13:35:15.508371Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:35:41.575Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Linux", "versions": [{"status": "affected", "version": "8"}, {"status": "affected", "version": "9"}, {"status": "affected", "version": "10"}]}], "references": [{"url": "https://linux.oracle.com/cve/CVE-2026-21991.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "A DTrace component, dtprobed, allows arbitrary file creation through crafted USDT provider names."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "A DTrace component, dtprobed, allows arbitrary file creation through crafted USDT provider names."}]}], "providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-03-16T21:36:44.856Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21991", "state": "PUBLISHED", "dateUpdated": "2026-03-17T13:35:45.790Z", "dateReserved": "2026-01-05T18:07:34.717Z", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "datePublished": "2026-03-16T21:36:44.856Z", "assignerShortName": "oracle"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:oracle:linux:8:-:*:*:*:*:*:*", "matchCriteriaId": "CA9021D6-6027-42E9-A12D-7EA32C5C63F1", "vulnerable": true}, {"criteria": "cpe:2.3:o:oracle:linux:9:0:*:*:*:*:*:*", "matchCriteriaId": "C848CA1D-A42D-4AF1-9D95-E6268F9C1880", "vulnerable": true}, {"criteria": "cpe:2.3:o:oracle:linux:10:0:*:*:*:*:*:*", "matchCriteriaId": "1F606DC6-31B5-4102-B174-D565662C4829", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A DTrace component, dtprobed, allows arbitrary file creation through crafted USDT provider names."}, {"lang": "es", "value": "Un componente de DTrace, dtprobed, permite la creaci\u00f3n arbitraria de archivos mediante nombres de proveedores USDT manipulados."}], "id": "CVE-2026-21991", "lastModified": "2026-04-07T01:02:06.683", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "secalert_us@oracle.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-16T22:16:18.397", "references": [{"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "https://linux.oracle.com/cve/CVE-2026-21991.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "10"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Oracle Linux", "source": "cna", "vendor": "Oracle Corporation"}, "product": "oracle_linux", "vendor": "oracle_corporation"}], "analysis": {"en": {"generated_at": "2026-03-17T16:47:28.642542+00:00", "value": {"mitigation_remediation": ["Check Oracle's official advisories for a patch or updated release that addresses the dtprobed flaw.", "Limit access to the dtrace and dtprobed utilities to trusted users or services, and enforce SELinux/AppArmor policies to prevent unauthorized file creation.", "Continuously monitor filesystem events and audit logs for unexpected file creation activity that could indicate exploitation."], "summary": {"action": "Assess Impact", "impact": "Arbitrary File Creation"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the Oracle Linux operating system distributed by Oracle Corporation. No specific version information is currently listed in the extracted CNA data, so all builds that contain the affected dtprobed component should be considered potentially impacted until vendor guidance is available.", "description_and_impact": "A DTrace component, dtprobed, allows the creation of arbitrary files on the system when exposed to specially crafted User\u2011Stated Tracing (USDT) provider names. This flaw gives an attacker the ability to write files to any location within the file system that the dtprobed process can write to, potentially enabling privilege escalation or other malicious actions. The weakness is classified as CWE\u201122, indicating improper handling of absolute or relative file paths.", "risk_and_exploitability": "The publicly available CVSS score for this issue is 5.5, indicating a moderate severity. The EPSS score is <1%, suggesting a low probability of exploitation in the wild. Because the vulnerability is not listed in the CISA KEV catalog, no evidence of active exploitation has been reported. Attackers would need to supply crafted USDT provider names to the dtprobed daemon, but the exact attack vector (e.g., local vs. remote) is not detailed in the advisory, so it is inferred that the flaw may require local access or interaction with the DTrace framework."}}}}, "created": "2026-03-17T09:52:06.199609+00:00", "title": "DTrace dtprobed Arbitrary File Creation via Crafted USDT Provider Names", "updated": "2026-03-24T10:49:45.572171+00:00", "vendors": ["oracle_corporation", "oracle_corporation$PRODUCT$oracle_linux"]}