Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network-triggered memory leak with low complexity (PR:N/AV:N/AC:L), impact limited to availability via service crash (A:H; C:N/I:N), no scope change.
Primary rating from Vendor (icscert).
CVSS VectorVendor: icscert
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An unauthenticated remote attacker can repeatedly send crafted connection requests to leak memory. In single-process deployments the memory grows until the service is killed and the port stops responding until restart.
AnalysisAI
Denial of service in OFFIS DCMTK DICOM toolkit allows an unauthenticated remote attacker to exhaust memory by repeatedly sending crafted connection requests, each of which leaks unfreed memory. In single-process deployments the leaked memory accumulates until the service process is killed by the OS and the listening port stops responding until a manual restart. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only network reachability to a DICOM service built on DCMTK that accepts inbound connection/association requests; no authentication, no user interaction, and no special feature toggle are needed (AV:N/AC:L/PR:N/UI:N) - the leak is triggered by the normal connection-request handling path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms a network-reachable, low-complexity, unauthenticated attack requiring no user interaction, with impact confined to availability (VA:H; VC:N/VI:N - no confidentiality or integrity loss). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the DICOM network port (e.g., an exposed or insufficiently segmented modality/PACS listener built on DCMTK) scripts repeated crafted connection/association requests against the service. With no authentication or user interaction required, each request leaks memory; over time the single-process service exhausts available memory, is killed by the OS, and the imaging port stops accepting connections until an operator manually restarts it. … |
| Remediation | Upgrade DCMTK to the current fixed release referenced in the advisory (https://github.com/DCMTK/dcmtk/releases/tag/latest); the input does not specify an exact tagged fix version, so the released patched version is not independently confirmed and operators should confirm the precise build that contains the CWE-401 fix against ICSMA-26-181-01 (https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-181-01). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify and inventory all DCMTK deployments; restrict network access to the DCMTK service to authorized clinical networks and systems only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Dcmtk Toolkit
View allPath traversal in OFFIS DCMTK (DICOM Toolkit) lets a malicious or compromised DICOM server write attacker-controlled fil
Path traversal in OFFIS DCMTK DICOM toolkit lets an unauthenticated network attacker read DICOM Modality Worklist record
Denial of service in OFFIS DCMTK's DICOM worklist server (wlmscpfs) allows a remote, unauthenticated attacker to crash t
Denial of service in OFFIS DCMTK's storescp DICOM receiver allows an unauthenticated remote attacker to exhaust process
Same weakness CWE-401 – Memory Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40420
GHSA-p8qm-mxfj-7vc2