Skip to main content

Dcmtk CVE-2020-36855

LOW
Buffer Overflow (CWE-119)
2025-10-21 cna@vuldb.com
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
CVE Published
Oct 21, 2025 - 15:15 cve.org
LOW 1.9

DescriptionCVE.org

A security vulnerability has been detected in DCMTK up to 3.6.5. The affected element is the function parseQuota of the component dcmqrscp. The manipulation of the argument StorageQuota leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. Upgrading to version 3.6.6 is sufficient to fix this issue. The identifier of the patch is 0fef9f02e. It is recommended to upgrade the affected component.

AnalysisAI

A security vulnerability has been detected in DCMTK up to 3.6.5. Rated low severity (CVSS 1.9), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Buffer Overflow (CWE-119), which allows attackers to corrupt memory to execute arbitrary code or crash the application. A security vulnerability has been detected in DCMTK up to 3.6.5. The affected element is the function parseQuota of the component dcmqrscp. The manipulation of the argument StorageQuota leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. Upgrading to version 3.6.6 is sufficient to fix this issue. The identifier of the patch is 0fef9f02e. It is recommended to upgrade the affected component. Affected products include: Offis Dcmtk. Version information: up to 3.6.5..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use memory-safe languages or bounds-checking. Enable ASLR, DEP/NX, stack canaries. Use safe string functions.

More in Dcmtk

View all
CVE-2019-1010228 CRITICAL POC
9.8 Jul 22

OFFIS.de DCMTK 3.6.3 and below is affected by: Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability i

CVE-2015-8979 HIGH POC
7.5 Feb 15

Stack-based buffer overflow in the parsePresentationContext function in storescp in DICOM dcmtk-3.6.0 and earlier allows

CVE-2024-27628 HIGH POC
8.1 Jun 28

Buffer Overflow vulnerability in DCMTK v.3.6.8 allows an attacker to execute arbitrary code via the EctEnhancedCT method

CVE-2024-28130 HIGH POC
7.5 Apr 23

An incorrect type conversion vulnerability exists in the DVPSSoftcopyVOI_PList::createFromImage functionality of OFFIS D

CVE-2022-43272 HIGH POC
7.5 Dec 02

DCMTK v3.6.7 was discovered to contain a memory leak via the T_ASC_Association object. Rated high severity (CVSS 7.5), t

CVE-2013-6825 HIGH POC
7.2 Jun 10

(1) movescu.cc and (2) storescp.cc in dcmnet/apps/, (3) dcmnet/libsrc/scp.cc, (4) dcmwlm/libsrc/wlmactmg.cc, (5) dcmprsc

CVE-2022-2120 CRITICAL
9.8 Jun 24

OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) is vulnerable to relative path traversal, allowing

CVE-2022-2119 CRITICAL
9.8 Jun 24

OFFIS DCMTK's (All versions prior to 3.6.7) service class provider (SCP) is vulnerable to path traversal, allowing an at

CVE-2024-34509 MEDIUM POC
5.3 May 05

dcmdata in DCMTK before 3.6.9 has a segmentation fault via an invalid DIMSE message. Rated medium severity (CVSS 5.3), t

CVE-2024-34508 MEDIUM POC
4.3 May 05

dcmnet in DCMTK before 3.6.9 has a segmentation fault via an invalid DIMSE message. Rated medium severity (CVSS 4.3), th

CVE-2025-25475 HIGH
7.5 Feb 18

A NULL pointer dereference in the component /libsrc/dcrleccd.cc of DCMTK v3.6.9+ DEV allows attackers to cause a Denial

CVE-2026-5663 MEDIUM
6.9 Apr 06

OS command injection in OFFIS DCMTK's storescp utility (versions up to 3.7.0) allows unauthenticated remote attackers to

Share

CVE-2020-36855 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy