{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21991", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-01-05T18:07:34.717Z", "datePublished": "2026-03-16T21:36:44.856Z", "dateUpdated": "2026-03-17T13:35:45.790Z"}, "containers": {"cna": {"affected": [{"product": "Oracle Linux", "vendor": "Oracle Corporation", "versions": [{"status": "affected", "version": "8"}, {"status": "affected", "version": "9"}, {"status": "affected", "version": "10"}]}], "descriptions": [{"lang": "en", "value": "A DTrace component, dtprobed, allows arbitrary file creation through crafted USDT provider names."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "A DTrace component, dtprobed, allows arbitrary file creation through crafted USDT provider names.", "lang": "en", "type": "text"}]}], "providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-03-16T21:36:44.856Z"}, "references": [{"name": "Oracle Advisory", "tags": ["vendor-advisory"], "url": "https://linux.oracle.com/cve/CVE-2026-21991.html"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T13:35:15.508371Z", "id": "CVE-2026-21991", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:35:45.790Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21991", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T13:35:15.508371Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:35:41.575Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Linux", "versions": [{"status": "affected", "version": "8"}, {"status": "affected", "version": "9"}, {"status": "affected", "version": "10"}]}], "references": [{"url": "https://linux.oracle.com/cve/CVE-2026-21991.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "A DTrace component, dtprobed, allows arbitrary file creation through crafted USDT provider names."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "A DTrace component, dtprobed, allows arbitrary file creation through crafted USDT provider names."}]}], "providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-03-16T21:36:44.856Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21991", "state": "PUBLISHED", "dateUpdated": "2026-03-17T13:35:45.790Z", "dateReserved": "2026-01-05T18:07:34.717Z", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "datePublished": "2026-03-16T21:36:44.856Z", "assignerShortName": "oracle"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:oracle:linux:8:-:*:*:*:*:*:*", "matchCriteriaId": "CA9021D6-6027-42E9-A12D-7EA32C5C63F1", "vulnerable": true}, {"criteria": "cpe:2.3:o:oracle:linux:9:0:*:*:*:*:*:*", "matchCriteriaId": "C848CA1D-A42D-4AF1-9D95-E6268F9C1880", "vulnerable": true}, {"criteria": "cpe:2.3:o:oracle:linux:10:0:*:*:*:*:*:*", "matchCriteriaId": "1F606DC6-31B5-4102-B174-D565662C4829", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A DTrace component, dtprobed, allows arbitrary file creation through crafted USDT provider names."}, {"lang": "es", "value": "Un componente de DTrace, dtprobed, permite la creaci\u00f3n arbitraria de archivos mediante nombres de proveedores USDT manipulados."}], "id": "CVE-2026-21991", "lastModified": "2026-04-07T01:02:06.683", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "secalert_us@oracle.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-16T22:16:18.397", "references": [{"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "https://linux.oracle.com/cve/CVE-2026-21991.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "10"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Oracle Linux", "source": "cna", "vendor": "Oracle Corporation"}, "product": "oracle_linux", "vendor": "oracle_corporation"}], "analysis": {"en": {"generated_at": "2026-04-07T10:23:10.908370+00:00", "value": {"mitigation_remediation": ["Apply the latest Oracle Linux security update that patches dtprobed to fix the arbitrary file creation flaw", "If no patch is available, disable or restrict use of USDT provider names by configuring dtprobed or stopping the dtprobed service", "Ensure that operations involving USDT providers are performed only by trusted users with appropriate privileges", "Monitor system file events for unexpected creation of system files or binaries"], "summary": {"action": "Apply patch", "impact": "Arbitrary file creation"}, "threat_synthesis": {"affected_systems": "Oracle Linux 8, 9, and 10 are affected. The common platform enumeration strings indicate that every release in these three major series is susceptible, and no sub\u2011version distinctions are provided, so any current installation of these operating systems should be considered vulnerable unless a vendor\u2011specific update is applied.", "description_and_impact": "A flaw in Oracle Linux\u2019s DTrace tool, dtprobed, allows a malicious actor to create files anywhere on the system by supplying specially crafted User\u2011Level Statically Defined Tracing provider names. The resulting files could be binaries, configuration files, or other artifacts that might be used for persistence or privilege escalation if the attacker has sufficient rights. The vulnerability is classified as CWE\u201122, indicating a file or directory creation or traversal issue.", "risk_and_exploitability": "The CVSS score of 5.5 shows a medium severity, and the EPSS score of less than 1% suggests that automated exploitation is uncommon. The vulnerability is not listed in the CISA KEV catalog, so no widely deployed exploits are known. The likely attack vector requires an attacker to influence the dtprobed component or supply a crafted USDT provider name, which in practice means local or elevated privileges or the ability to trigger dtprobed. Based on the description, it is inferred that the attacker must run under a user with write access to the target directories or have the ability to execute dtprobed with such privileges. If such conditions are met, the flaw could enable arbitrary file creation, potentially leading to privilege escalation or persistence actions."}}}}, "created": "2026-03-17T09:52:06.199609+00:00", "updated": "2026-04-08T20:01:33.456930+00:00", "vendors": ["oracle_corporation", "oracle_corporation$PRODUCT$oracle_linux"]}