Skip to main content

DCMTK CVE-2026-35505

| EUVDEUVD-2026-40420 HIGH
Memory Leak (CWE-401)
2026-06-30 icscert GHSA-p8qm-mxfj-7vc2
8.7
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Unauthenticated network-triggered memory leak with low complexity (PR:N/AV:N/AC:L), impact limited to availability via service crash (A:H; C:N/I:N), no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (icscert).

CVSS VectorVendor: icscert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 22:02 vuln.today

DescriptionCVE.org

An unauthenticated remote attacker can repeatedly send crafted connection requests to leak memory. In single-process deployments the memory grows until the service is killed and the port stops responding until restart.

AnalysisAI

Denial of service in OFFIS DCMTK DICOM toolkit allows an unauthenticated remote attacker to exhaust memory by repeatedly sending crafted connection requests, each of which leaks unfreed memory. In single-process deployments the leaked memory accumulates until the service process is killed by the OS and the listening port stops responding until a manual restart. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed DCMTK DICOM port
Delivery
Send crafted connection/association request
Exploit
Leak unfreed memory per request
Execution
Repeat to exhaust process memory
Impact
Service killed, port stops responding

Vulnerability AssessmentAI

Exploitation Exploitation requires only network reachability to a DICOM service built on DCMTK that accepts inbound connection/association requests; no authentication, no user interaction, and no special feature toggle are needed (AV:N/AC:L/PR:N/UI:N) - the leak is triggered by the normal connection-request handling path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms a network-reachable, low-complexity, unauthenticated attack requiring no user interaction, with impact confined to availability (VA:H; VC:N/VI:N - no confidentiality or integrity loss). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the DICOM network port (e.g., an exposed or insufficiently segmented modality/PACS listener built on DCMTK) scripts repeated crafted connection/association requests against the service. With no authentication or user interaction required, each request leaks memory; over time the single-process service exhausts available memory, is killed by the OS, and the imaging port stops accepting connections until an operator manually restarts it. …
Remediation Upgrade DCMTK to the current fixed release referenced in the advisory (https://github.com/DCMTK/dcmtk/releases/tag/latest); the input does not specify an exact tagged fix version, so the released patched version is not independently confirmed and operators should confirm the precise build that contains the CWE-401 fix against ICSMA-26-181-01 (https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-181-01). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify and inventory all DCMTK deployments; restrict network access to the DCMTK service to authorized clinical networks and systems only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-35505 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy