A vulnerability (CVE-2026-21991, CVSS 5.5) in the DTrace component `dtprobed` allows local attackers to create arbitrary files via specially crafted USDT provider names, potentially leading to arbitrary code execution. The article states DTrace versions prior to 2.0.6 are affected and should be upgraded to version 2.0.6; the NVD data specifies Oracle Linux versions 8, 9, and 10 are affected. No workaround is currently known.
A DTrace component, dtprobed, allows arbitrary file creation through crafted USDT provider names. Affected packages Package dev-debug/dtrace on all architectures Affected versions < 2.0.6 Unaffected versions >= 2.0.6 Background DTrace is a dynamic tracing tool for analysing or debugging the whole system. Specifically, dtprobed is a component of the DTrace system that keeps track of USDT probes within running processes, parsing and storing the DOF they provide for later consumption by dtrace proper. Description A vulnerability has been found in dtprobed that allows for arbitrary file creation through specially crafted USDT provider names. Impact The worst possible outcome is the ability for an attacker to run arbitrary code via the maliciously created file. Workaround There is no known workaround at this time. Resolution All DTrace users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-debug/dtrace-2.0.6" References CVE-2026-21991 Release date April 17, 2026 Latest revision April 17, 2026: 1 Severity normal Exploitable local Bugzilla entries 971491