Offis Dcmtk

OFFIS DCMTK <3.7.0 Heap-Overflow in XMLNode::parseFile
CVE-2026-12805 6.3 - Medium - June 21, 2026

A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected element is the function XMLNode::parseFile in the library ofstd/libsrc/ofxml.cc. Executing a manipulation can lead to heap-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. This patch is called 1d4b3815c0987840a983160bfc671fef63a3105b. It is best practice to apply a patch to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Heap-based Buffer Overflow

OFFIS DCMTK 3.7.0 dcmqrscp Heap Buffer Overflow
CVE-2026-10194 6.3 - Medium - May 31, 2026

A weakness has been identified in OFFIS DCMTK 3.7.0. This affects the function DcmQueryRetrieveIndexDatabaseHandle::deleteOldestImages of the file dcmqrdb/libsrc/dcmqrdbi.cc of the component dcmqrscp. Executing a manipulation can lead to heap-based buffer overflow. The attack may be launched remotely. This patch is called 0f78a4ef6f645ea5530166e445e5436a5de58e75. A patch should be applied to remediate this issue.

Heap-based Buffer Overflow

DCMTK <=3.7.0 storescp ExecOnRec OS Cmd Inj
CVE-2026-5663 7.3 - High - April 06, 2026

A security flaw has been discovered in OFFIS DCMTK up to 3.7.0. This impacts the function executeOnReception/executeOnEndOfStudy of the file dcmnet/apps/storescp.cc of the component storescp. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The patch is named edbb085e45788dccaf0e64d71534cfca925784b8. Applying a patch is the recommended action to fix this issue.

Shell injection

OFFIS DCMTK <=3.6.9 dcmqrscp NPE via local access
CVE-2025-14841 3.3 - Low - December 18, 2025

A flaw has been found in OFFIS DCMTK up to 3.6.9. The impacted element is the function DcmQueryRetrieveIndexDatabaseHandle::startFindRequest/DcmQueryRetrieveIndexDatabaseHandle::startMoveRequest in the library dcmqrdb/libsrc/dcmqrdbi.cc of the component dcmqrscp. This manipulation causes null pointer dereference. The attack requires local access. Upgrading to version 3.7.0 is sufficient to resolve this issue. Patch name: ffb1a4a37d2c876e3feeb31df4930f2aed7fa030. You should upgrade the affected component.

NULL Pointer Dereference

OFFIS DCMTK 3.6.9 Memory Corruption in dcmdata::DcmByteString
CVE-2025-14607 6.3 - Medium - December 13, 2025

A vulnerability was detected in OFFIS DCMTK up to 3.6.9. Affected by this issue is the function DcmByteString::makeDicomByteString of the file dcmdata/libsrc/dcbytstr.cc of the component dcmdata. The manipulation results in memory corruption. The attack can be launched remotely. Upgrading to version 3.7.0 can resolve this issue. The patch is identified as 4c0e5c10079392c594d6a7abd95dd78ac0aa556a. You should upgrade the affected component.

Buffer Overflow

DCMTK 3.6.9 dcmjpls JPEG-LS Decoder MemCorrupt Remote
CVE-2025-2357 6.3 - Medium - March 17, 2025

A vulnerability was found in DCMTK 3.6.9. It has been declared as critical. This vulnerability affects unknown code of the component dcmjpls JPEG-LS Decoder. The manipulation leads to memory corruption. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 3239a7915. It is recommended to apply a patch to fix this issue.

Buffer Overflow

Offis DCMTK 3.6.8 OOB Write via nowindow DICOM Vulnerability
CVE-2024-47796 8.4 - High - January 13, 2025

An improper array index validation vulnerability exists in the nowindow functionality of OFFIS DCMTK 3.6.8. A specially crafted DICOM file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.

Buffer Overflow

DCMTK 3.6.8 OOB Write via Unsafe Array Indexing in determineMinMax
CVE-2024-52333 8.4 - High - January 13, 2025

An improper array index validation vulnerability exists in the determineMinMax functionality of OFFIS DCMTK 3.6.8. A specially crafted DICOM file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.

Buffer Overflow

Buffer Overflow in DCMTK 3.6.8 EctEnhancedCT
CVE-2024-27628 - June 28, 2024

Buffer Overflow vulnerability in DCMTK v.3.6.8 allows an attacker to execute arbitrary code via the EctEnhancedCT method component.

DCMTK 3.6.9- dcmnet SegFault via Invalid DIMSE Msg (before 3.6.9)
CVE-2024-34508 4.3 - Medium - May 05, 2024

dcmnet in DCMTK before 3.6.9 has a segmentation fault via an invalid DIMSE message.

NULL Pointer Dereference

Segfault via invalid DIMSE in DCMTK<3.6.9 dcmdata
CVE-2024-34509 5.3 - Medium - May 05, 2024

dcmdata in DCMTK before 3.6.9 has a segmentation fault via an invalid DIMSE message.

OFFIS DCMTK 3.6.8: DVPSSoftcopyVOI_PList type cast flaw code exec
CVE-2024-28130 7.5 - High - April 23, 2024

An incorrect type conversion vulnerability exists in the DVPSSoftcopyVOI_PList::createFromImage functionality of OFFIS DCMTK 3.6.8. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Incorrect Type Conversion or Cast

Memory Leak via T_ASC_Association in DCMTK <3.6.8 (v3.6.7)
CVE-2022-43272 7.5 - High - December 02, 2022

DCMTK v3.6.7 was discovered to contain a memory leak via the T_ASC_Association object.

DCMTK through 3.6.6 does not handle memory free properly
CVE-2021-41687 - June 28, 2022

DCMTK through 3.6.6 does not handle memory free properly. The program malloc a heap memory for parsing data, but does not free it when error in parsing. Sending specific requests to the dcmqrdb program incur the memory leak. An attacker can use it to launch a DoS attack.

DCMTK through 3.6.6 does not handle memory free properly
CVE-2021-41688 - June 28, 2022

DCMTK through 3.6.6 does not handle memory free properly. The object in the program is free but its address is still used in other locations. Sending specific requests to the dcmqrdb program will incur a double free. An attacker can use it to launch a DoS attack.

DCMTK through 3.6.6 does not handle string copy properly
CVE-2021-41689 7.5 - High - June 28, 2022

DCMTK through 3.6.6 does not handle string copy properly. Sending specific requests to the dcmqrdb program, it would query its database and copy the result even if the result is null, which can incur a head-based overflow. An attacker can use it to launch a DoS attack.

NULL Pointer Dereference

DCMTK through 3.6.6 does not handle memory free properly
CVE-2021-41690 - June 28, 2022

DCMTK through 3.6.6 does not handle memory free properly. The malloced memory for storing all file information are recorded in a global variable LST and are not freed properly. Sending specific requests to the dcmqrdb program can incur a memory leak. An attacker can use it to launch a DoS attack.

OFFIS DCMTK's (All versions prior to 3.6.7) service class provider (SCP) is vulnerable to path traversal
CVE-2022-2119 9.8 - Critical - June 24, 2022

OFFIS DCMTK's (All versions prior to 3.6.7) service class provider (SCP) is vulnerable to path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution.

Directory traversal

OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) is vulnerable to relative path traversal
CVE-2022-2120 9.8 - Critical - June 24, 2022

OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) is vulnerable to relative path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution.

Directory traversal

OFFIS DCMTK's (All versions prior to 3.6.7) has a NULL pointer dereference vulnerability while processing DICOM files
CVE-2022-2121 7.5 - High - June 24, 2022

OFFIS DCMTK's (All versions prior to 3.6.7) has a NULL pointer dereference vulnerability while processing DICOM files, which may result in a denial-of-service condition.

NULL Pointer Dereference

OFFIS.de DCMTK 3.6.3 and below is affected by: Buffer Overflow
CVE-2019-1010228 9.8 - Critical - July 22, 2019

OFFIS.de DCMTK 3.6.3 and below is affected by: Buffer Overflow. The impact is: Possible code execution and confirmed Denial of Service. The component is: DcmRLEDecoder::decompress() (file dcrledec.h, line 122). The attack vector is: Many scenarios of DICOM file processing (e.g. DICOM to image conversion). The fixed version is: 3.6.4, after commit 40917614e.

Memory Corruption