OFFIS DCMTK <3.7.0 Heap-Overflow in XMLNode::parseFile
CVE-2026-12805 Published on June 21, 2026
OFFIS DCMTK ofxml.cc parseFile heap-based overflow
A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected element is the function XMLNode::parseFile in the library ofstd/libsrc/ofxml.cc. Executing a manipulation can lead to heap-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. This patch is called 1d4b3815c0987840a983160bfc671fef63a3105b. It is best practice to apply a patch to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Timeline
Advisory disclosed
VulDB entry created
VulDB entry last update
Weakness Types
Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
What is a Buffer Overflow Vulnerability?
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
CVE-2026-12805 has been classified to as a Buffer Overflow vulnerability or weakness.
Products Associated with CVE-2026-12805
Want to know whenever a new CVE is published for Offis Dcmtk? stack.watch will email you.
Affected Versions
OFFIS DCMTK:- Version 3.0 is affected.
- Version 3.1 is affected.
- Version 3.2 is affected.
- Version 3.3 is affected.
- Version 3.4 is affected.
- Version 3.5 is affected.
- Version 3.6 is affected.
- Version 3.7.0 is affected.