CVE-2026-35233 PUBLISHED

Assigner: oracle
Reserved: 01.04.2026 Published: 01.05.2026 Updated: 01.05.2026

An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of-range sh_link field. When root-level dtrace attaches to -- or instruments -- that process (via dtrace -p , pid probes, or USDT), the ELF parser reads heap memory beyond the allocated section cache array without any bounds check. This results in an uninitialized/out-of-bounds heap read that can cause a NULL pointer dereference crash of the dtrace process (DoS), or -- depending on heap layout -- a read-then-use of a garbage pointer controlled by adjacent allocations, providing a foothold toward further exploitation in a privileged context.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CVSS Score: 4.4

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	Oracle Corporation
Product	Oracle Linux
Versions	Version 8 is affected Version 9 is affected Version 10 is affected

References

Oracle Advisory

Problem Types

An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of-range sh_link field. When root-level dtrace attaches to -- or instruments -- that process (via dtrace -p , pid probes, or USDT), the ELF parser reads heap memory beyond the allocated section cache array without any bounds check. This results in an uninitialized/out-of-bounds heap read that can cause a NULL pointer dereference crash of the dtrace process (DoS), or -- depending on heap layout -- a read-then-use of a garbage pointer controlled by adjacent allocations, providing a foothold toward further exploitation in a privileged context. text