Gentoo Linux released two security advisories addressing critical flaws in DTrace and FUSE that could allow attackers to execute arbitrary code. The first advisory highlights a vulnerability in the dtprobed component where specially crafted USDT provider names can trigger unauthorized file creation, potentially paving the way for malicious code execution. Meanwhile, a separate issue within FUSE involves both a null pointer dereference and a use-after-free bug that may crash the system or be exploited for remote code execution. Administrators running affected versions should immediately sync their package repositories and upgrade DTrace to at least version 2.0.6 while updating FUSE to version 3.18.1 or higher.

[ GLSA 202604-04 ] DTrace: Arbitrary file creation via dtprobed
[ GLSA 202604-03 ] FUSE: Multiple Vulnerabilities

[ GLSA 202604-04 ] DTrace: Arbitrary file creation via dtprobed

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202604-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: DTrace: Arbitrary file creation via dtprobed
Date: April 17, 2026
Bugs: #971491
ID: 202604-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A DTrace component, dtprobed, allows arbitrary file creation through
crafted USDT provider names.

Background
==========

DTrace is a dynamic tracing tool for analysing or debugging the whole
system. Specifically, dtprobed is a component of the DTrace system that
keeps track of USDT probes within running processes, parsing and storing
the DOF they provide for later consumption by dtrace proper.

Affected packages
=================

Package Vulnerable Unaffected
---------------- ------------ ------------
dev-debug/dtrace < 2.0.6 >= 2.0.6

Description
===========

A vulnerability has been found in dtprobed that allows for arbitrary
file creation through specially crafted USDT provider names.

Impact
======

The worst possible outcome is the ability for an attacker to run
arbitrary code via the maliciously created file.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All DTrace users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-debug/dtrace-2.0.6"

References
==========

[ 1 ] CVE-2026-21991
https://nvd.nist.gov/vuln/detail/CVE-2026-21991

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202604-04

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2026 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

[ GLSA 202604-03 ] FUSE: Multiple Vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202604-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: FUSE: Multiple Vulnerabilities
Date: April 17, 2026
Bugs: #971552
ID: 202604-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in FUSE, the worst of which can
lead to code execution.

Background
==========

FUSE (Filesystem in Userspace) is an interface for userspace programs to
export a filesystem to the Linux kernel.

Affected packages
=================

Package Vulnerable Unaffected
----------- ------------ ------------
sys-fs/fuse < 3.18.1 >= 3.18.1

Description
===========

The following vulnerabilities have been discovered in FUSE: a NULL
pointer dereference (when running with the NUMA architecture) and a use-
after-free. The worst of which can lead to code execution. Please review
the CVE identifiers referenced below for details.

Impact
======

The following is a possible outcome: denial of service (crash) and
potential code execution.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All FUSE users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-fs/fuse-3.18.1:3"

References
==========

[ 1 ] CVE-2026-33150
https://nvd.nist.gov/vuln/detail/CVE-2026-33150
[ 2 ] CVE-2026-33179
https://nvd.nist.gov/vuln/detail/CVE-2026-33179

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202604-03

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2026 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5