Oracle Linux DTrace Privilege Escalation Vulnerability via Malicious ELF Binary

A vulnerability exists in Oracle Linux versions 8, 9, and 10, allowing an unprivileged attacker to create a user-space process with a harmful ELF binary that includes an out-of-range sh_link field. When the root-level DTrace tool attaches to this process, the ELF parser improperly reads heap memory beyond the allocated section cache array, lacking any bounds check. This flaw leads to an uninitialized or out-of-bounds heap read, which can cause a NULL pointer dereference, crashing the DTrace process and creating a denial-of-service condition. Alternatively, depending on the heap layout, it could result in a read-then-use of a garbage pointer controlled by adjacent allocations, potentially allowing further exploitation in a privileged context.

Impact

Exploitation of this vulnerability can cause a crash of the DTrace process due to a NULL pointer dereference, creating a denial-of-service condition. However, it could also lead to further exploitation in a privileged context by manipulating heap memory.

Remediation

Users can apply the available patches by referencing the Oracle Linux Errata ELSA-2026-50249, ELSA-2026-50250, and ELSA-2026-50251.