Skip to main content

OFFIS DCMTK CVE-2026-12805

| EUVDEUVD-2026-38191 LOW
Heap-based Buffer Overflow (CWE-122)
2026-06-21 VulDB GHSA-35pp-gpq2-4898
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

Network-delivered crafted file requires passive user parsing (UI:R); no privileges needed; impact capped at Low across C/I/A consistent with vendor's CVSS 4.0 assessment and limited scope.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 22, 2026 - 06:45 vuln.today
Analysis Generated
Jun 22, 2026 - 06:45 vuln.today
Severity Changed
Jun 21, 2026 - 20:22 NVD
MEDIUM LOW
CVSS changed
Jun 21, 2026 - 20:22 NVD
5.3 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected element is the function XMLNode::parseFile in the library ofstd/libsrc/ofxml.cc. Executing a manipulation can lead to heap-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. This patch is called 1d4b3815c0987840a983160bfc671fef63a3105b. It is best practice to apply a patch to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AnalysisAI

Heap-based buffer overflow in OFFIS DCMTK's XMLNode::parseFile function (ofstd/libsrc/ofxml.cc) affects all versions through 3.7.0, exploitable by any remote party who can supply a crafted or non-seekable XML input to the parser. The root cause - confirmed by the upstream patch commit - is that the original guard if (!l) failed to catch a -1 return from ftell(), allowing a corrupted buffer size to propagate into heap allocation and subsequent write. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deliver crafted non-seekable or malformed XML file to DCMTK service
Delivery
User or process invokes XMLNode::parseFile on attacker input
Exploit
ftell() returns -1, bypassing original `!l` size guard
Execution
Corrupted size used for heap buffer allocation
Persist
File contents written beyond allocated heap region
Impact
Process crash or arbitrary code execution within DCMTK context

Vulnerability AssessmentAI

Exploitation The vulnerability triggers when XMLNode::parseFile is called with a file descriptor for which ftell() returns -1 - specifically, non-seekable file types such as named pipes, character devices, or sockets. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N) scores 2.1 - low on its face, driven primarily by the passive-interaction requirement (UI:P) and low impact ratings across all dimensions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can deliver a crafted non-seekable file descriptor or malformed XML file to a DCMTK-based medical imaging service - for example, by submitting a malicious DICOM XML payload to a network-accessible PACS endpoint, or by convincing a radiology user to open an attacker-supplied XML configuration file - causes parseFile to receive -1 from ftell(), bypassing the size guard and triggering heap corruption. A public proof-of-concept is documented in a Medium article (https://medium.com/@faboherrera.fabo/dcmtk-vulnerability-report-201afc687790), demonstrating the triggering condition. …
Remediation Apply the upstream patch commit 1d4b3815c0987840a983160bfc671fef63a3105b, available at https://github.com/DCMTK/dcmtk/commit/1d4b3815c0987840a983160bfc671fef63a3105b and the authoritative DCMTK repository at https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=1d4b3815c0987840a983160bfc671fef63a3105b. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Dcmtk

View all
CVE-2019-1010228 CRITICAL POC
9.8 Jul 22

OFFIS.de DCMTK 3.6.3 and below is affected by: Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability i

CVE-2015-8979 HIGH POC
7.5 Feb 15

Stack-based buffer overflow in the parsePresentationContext function in storescp in DICOM dcmtk-3.6.0 and earlier allows

CVE-2024-27628 HIGH POC
8.1 Jun 28

Buffer Overflow vulnerability in DCMTK v.3.6.8 allows an attacker to execute arbitrary code via the EctEnhancedCT method

CVE-2024-28130 HIGH POC
7.5 Apr 23

An incorrect type conversion vulnerability exists in the DVPSSoftcopyVOI_PList::createFromImage functionality of OFFIS D

CVE-2022-43272 HIGH POC
7.5 Dec 02

DCMTK v3.6.7 was discovered to contain a memory leak via the T_ASC_Association object. Rated high severity (CVSS 7.5), t

CVE-2013-6825 HIGH POC
7.2 Jun 10

(1) movescu.cc and (2) storescp.cc in dcmnet/apps/, (3) dcmnet/libsrc/scp.cc, (4) dcmwlm/libsrc/wlmactmg.cc, (5) dcmprsc

CVE-2022-2120 CRITICAL
9.8 Jun 24

OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) is vulnerable to relative path traversal, allowing

CVE-2022-2119 CRITICAL
9.8 Jun 24

OFFIS DCMTK's (All versions prior to 3.6.7) service class provider (SCP) is vulnerable to path traversal, allowing an at

CVE-2024-34509 MEDIUM POC
5.3 May 05

dcmdata in DCMTK before 3.6.9 has a segmentation fault via an invalid DIMSE message. Rated medium severity (CVSS 5.3), t

CVE-2024-34508 MEDIUM POC
4.3 May 05

dcmnet in DCMTK before 3.6.9 has a segmentation fault via an invalid DIMSE message. Rated medium severity (CVSS 4.3), th

CVE-2025-25475 HIGH
7.5 Feb 18

A NULL pointer dereference in the component /libsrc/dcrleccd.cc of DCMTK v3.6.9+ DEV allows attackers to cause a Denial

CVE-2026-5663 MEDIUM
6.9 Apr 06

OS command injection in OFFIS DCMTK's storescp utility (versions up to 3.7.0) allows unauthenticated remote attackers to

Share

CVE-2026-12805 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy