Skip to main content

OFFIS DCMTK CVE-2026-10194

| EUVDEUVD-2026-33516 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-05-31 VulDB GHSA-x58f-wmvg-jxpc
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
May 31, 2026 - 17:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
May 31, 2026 - 17:21 vuln.today

DescriptionCVE.org

A weakness has been identified in OFFIS DCMTK 3.7.0. This affects the function DcmQueryRetrieveIndexDatabaseHandle::deleteOldestImages of the file dcmqrdb/libsrc/dcmqrdbi.cc of the component dcmqrscp. Executing a manipulation can lead to heap-based buffer overflow. The attack may be launched remotely. This patch is called 0f78a4ef6f645ea5530166e445e5436a5de58e75. A patch should be applied to remediate this issue.

AnalysisAI

Heap-based buffer overflow in OFFIS DCMTK 3.7.0's dcmqrscp component allows remote low-privileged attackers to trigger memory corruption via the deleteOldestImages function in the DICOM Query/Retrieve database backend. Exploitation requires authenticated network access with low complexity and results in partial confidentiality, integrity, and availability impact without crossing privilege boundaries. No public exploit identified at time of analysis; an upstream git commit patch is confirmed available, though a formally tagged release version incorporating the fix has not been independently verified.

Technical ContextAI

DCMTK (DICOM Toolkit) is an open-source C++ library and application suite developed by OFFIS for implementing the DICOM medical imaging standard, widely deployed in healthcare infrastructure including PACS (Picture Archiving and Communication Systems). The affected component dcmqrscp (DICOM Query/Retrieve Service Class Provider) manages medical image storage, indexing, and retrieval. The vulnerable function DcmQueryRetrieveIndexDatabaseHandle::deleteOldestImages resides in dcmqrdb/libsrc/dcmqrdbi.cc and is responsible for automatic eviction of oldest images from the internal database index - a housekeeping function triggered during storage capacity management. CWE-122 (Heap-based Buffer Overflow) identifies the root cause: a heap-allocated buffer is written beyond its allocated boundaries, which can corrupt adjacent heap metadata or object pointers, potentially enabling code execution or denial-of-service. The CPE string cpe:2.3:a:offis:dcmtk:*:*:*:*:*:*:*:* with version 3.7.0 explicitly cited in the description identifies the confirmed affected release; the wildcard notation may indicate additional versions are affected but this is not independently confirmed.

RemediationAI

Apply the upstream patch commit 0f78a4ef6f645ea5530166e445e5436a5de58e75 from the official DCMTK git repository, available at https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=0f78a4ef6f645ea5530166e445e5436a5de58e75. Note that this is an upstream commit reference - a formally released and tagged patched version is not independently confirmed from available data; organizations should verify with OFFIS whether a tagged release incorporating this fix has been published before deploying. As compensating controls while patching is in progress: restrict network access to dcmqrscp listeners using host-based or network firewall rules to permit only trusted DICOM peer AE (Application Entity) addresses, which directly limits the low-privilege attack surface required for exploitation (trade-off: may disrupt legitimate DICOM peers not yet allowlisted). Additionally, enforce strict DICOM AE title authentication on the dcmqrscp configuration to prevent unrecognized callers from establishing sessions; disabling the Query/Retrieve SCP service entirely is an option of last resort where that function is non-critical. Monitor dcmqrscp process logs and system crash dumps for anomalous heap corruption signals as a detection measure.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-10194 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy