Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered crafted file requires passive user parsing (UI:R); no privileges needed; impact capped at Low across C/I/A consistent with vendor's CVSS 4.0 assessment and limited scope.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected element is the function XMLNode::parseFile in the library ofstd/libsrc/ofxml.cc. Executing a manipulation can lead to heap-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. This patch is called 1d4b3815c0987840a983160bfc671fef63a3105b. It is best practice to apply a patch to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
AnalysisAI
Heap-based buffer overflow in OFFIS DCMTK's XMLNode::parseFile function (ofstd/libsrc/ofxml.cc) affects all versions through 3.7.0, exploitable by any remote party who can supply a crafted or non-seekable XML input to the parser. The root cause - confirmed by the upstream patch commit - is that the original guard if (!l) failed to catch a -1 return from ftell(), allowing a corrupted buffer size to propagate into heap allocation and subsequent write. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerability triggers when XMLNode::parseFile is called with a file descriptor for which ftell() returns -1 - specifically, non-seekable file types such as named pipes, character devices, or sockets. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N) scores 2.1 - low on its face, driven primarily by the passive-interaction requirement (UI:P) and low impact ratings across all dimensions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can deliver a crafted non-seekable file descriptor or malformed XML file to a DCMTK-based medical imaging service - for example, by submitting a malicious DICOM XML payload to a network-accessible PACS endpoint, or by convincing a radiology user to open an attacker-supplied XML configuration file - causes parseFile to receive -1 from ftell(), bypassing the size guard and triggering heap corruption. A public proof-of-concept is documented in a Medium article (https://medium.com/@faboherrera.fabo/dcmtk-vulnerability-report-201afc687790), demonstrating the triggering condition. … |
| Remediation | Apply the upstream patch commit 1d4b3815c0987840a983160bfc671fef63a3105b, available at https://github.com/DCMTK/dcmtk/commit/1d4b3815c0987840a983160bfc671fef63a3105b and the authoritative DCMTK repository at https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=1d4b3815c0987840a983160bfc671fef63a3105b. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
OFFIS.de DCMTK 3.6.3 and below is affected by: Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability i
Stack-based buffer overflow in the parsePresentationContext function in storescp in DICOM dcmtk-3.6.0 and earlier allows
Buffer Overflow vulnerability in DCMTK v.3.6.8 allows an attacker to execute arbitrary code via the EctEnhancedCT method
An incorrect type conversion vulnerability exists in the DVPSSoftcopyVOI_PList::createFromImage functionality of OFFIS D
DCMTK v3.6.7 was discovered to contain a memory leak via the T_ASC_Association object. Rated high severity (CVSS 7.5), t
(1) movescu.cc and (2) storescp.cc in dcmnet/apps/, (3) dcmnet/libsrc/scp.cc, (4) dcmwlm/libsrc/wlmactmg.cc, (5) dcmprsc
OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) is vulnerable to relative path traversal, allowing
OFFIS DCMTK's (All versions prior to 3.6.7) service class provider (SCP) is vulnerable to path traversal, allowing an at
dcmdata in DCMTK before 3.6.9 has a segmentation fault via an invalid DIMSE message. Rated medium severity (CVSS 5.3), t
dcmnet in DCMTK before 3.6.9 has a segmentation fault via an invalid DIMSE message. Rated medium severity (CVSS 4.3), th
A NULL pointer dereference in the component /libsrc/dcrleccd.cc of DCMTK v3.6.9+ DEV allows attackers to cause a Denial
OS command injection in OFFIS DCMTK's storescp utility (versions up to 3.7.0) allows unauthenticated remote attackers to
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38191
GHSA-35pp-gpq2-4898