Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A weakness has been identified in OFFIS DCMTK 3.7.0. This affects the function DcmQueryRetrieveIndexDatabaseHandle::deleteOldestImages of the file dcmqrdb/libsrc/dcmqrdbi.cc of the component dcmqrscp. Executing a manipulation can lead to heap-based buffer overflow. The attack may be launched remotely. This patch is called 0f78a4ef6f645ea5530166e445e5436a5de58e75. A patch should be applied to remediate this issue.
AnalysisAI
Heap-based buffer overflow in OFFIS DCMTK 3.7.0's dcmqrscp component allows remote low-privileged attackers to trigger memory corruption via the deleteOldestImages function in the DICOM Query/Retrieve database backend. Exploitation requires authenticated network access with low complexity and results in partial confidentiality, integrity, and availability impact without crossing privilege boundaries. No public exploit identified at time of analysis; an upstream git commit patch is confirmed available, though a formally tagged release version incorporating the fix has not been independently verified.
Technical ContextAI
DCMTK (DICOM Toolkit) is an open-source C++ library and application suite developed by OFFIS for implementing the DICOM medical imaging standard, widely deployed in healthcare infrastructure including PACS (Picture Archiving and Communication Systems). The affected component dcmqrscp (DICOM Query/Retrieve Service Class Provider) manages medical image storage, indexing, and retrieval. The vulnerable function DcmQueryRetrieveIndexDatabaseHandle::deleteOldestImages resides in dcmqrdb/libsrc/dcmqrdbi.cc and is responsible for automatic eviction of oldest images from the internal database index - a housekeeping function triggered during storage capacity management. CWE-122 (Heap-based Buffer Overflow) identifies the root cause: a heap-allocated buffer is written beyond its allocated boundaries, which can corrupt adjacent heap metadata or object pointers, potentially enabling code execution or denial-of-service. The CPE string cpe:2.3:a:offis:dcmtk:*:*:*:*:*:*:*:* with version 3.7.0 explicitly cited in the description identifies the confirmed affected release; the wildcard notation may indicate additional versions are affected but this is not independently confirmed.
RemediationAI
Apply the upstream patch commit 0f78a4ef6f645ea5530166e445e5436a5de58e75 from the official DCMTK git repository, available at https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=0f78a4ef6f645ea5530166e445e5436a5de58e75. Note that this is an upstream commit reference - a formally released and tagged patched version is not independently confirmed from available data; organizations should verify with OFFIS whether a tagged release incorporating this fix has been published before deploying. As compensating controls while patching is in progress: restrict network access to dcmqrscp listeners using host-based or network firewall rules to permit only trusted DICOM peer AE (Application Entity) addresses, which directly limits the low-privilege attack surface required for exploitation (trade-off: may disrupt legitimate DICOM peers not yet allowlisted). Additionally, enforce strict DICOM AE title authentication on the dcmqrscp configuration to prevent unrecognized callers from establishing sessions; disabling the Query/Retrieve SCP service entirely is an option of last resort where that function is non-critical. Monitor dcmqrscp process logs and system crash dumps for anomalous heap corruption signals as a detection measure.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33516
GHSA-x58f-wmvg-jxpc