Skip to main content

DCMTK Toolkit EUVDEUVD-2026-40412

| CVE-2026-44628 HIGH
Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)
2026-06-30 icscert GHSA-gh96-6fq7-wjh8
8.7
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote single-query crash with no auth or interaction (AV:N/AC:L/PR:N/UI:N); only availability is impacted (A:H), no confidentiality or integrity loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (icscert).

CVSS VectorVendor: icscert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 21:17 vuln.today

DescriptionCVE.org

An unauthenticated attacker can crash the worklist server with a single crafted query when the server has a valid Called AE Title / storage directory, the expected lockfile, and at least one matching worklist record.

AnalysisAI

Denial of service in OFFIS DCMTK's DICOM worklist server (wlmscpfs) allows a remote, unauthenticated attacker to crash the service with a single crafted DICOM query when the server is provisioned with a valid Called AE Title, a storage directory, the expected lockfile, and at least one matching worklist record. The flaw stems from a type-confusion condition (CWE-843) and carries a CVSS 4.0 base score of 8.7 driven entirely by high availability impact (VA:H). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach DICOM worklist SCP over network
Delivery
Send single crafted C-FIND query
Exploit
Trigger CWE-843 type confusion on matching record
Execution
Corrupt memory in wlmscpfs
Impact
Crash worklist server (availability loss)

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to be a running DCMTK Modality Worklist server (wlmscpfs) that is provisioned for normal operation: it must have a valid Called AE Title configured, an associated storage directory, the expected lockfile present, and at least one worklist record that matches the attacker's query. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N, score 8.7 'High') describes a fully remote, low-complexity, unauthenticated attack with no user interaction whose only impact is availability - there is no confidentiality or integrity loss, so the real-world consequence is a crashed worklist service, not data theft or RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to the hospital's DICOM worklist port sends a single crafted C-FIND query to a running wlmscpfs server that holds at least one matching worklist record; the type-confusion bug triggers memory corruption and the worklist server process crashes, halting modality worklist delivery to imaging devices. No authentication or user interaction is needed, and the low attack complexity means the request can be replayed to keep the service down. …
Remediation Upgrade DCMTK to the fixed upstream release referenced by OFFIS - the provided reference points to the DCMTK GitHub releases page (https://github.com/DCMTK/dcmtk/releases/tag/latest), which is a release-tracking link rather than a tagged version number, so the released patched version is not independently confirmed from the input; consult CISA ICSMA-26-181-01 (https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-181-01) and its CSAF file to obtain the exact patched build before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running OFFIS DCMTK wlmscpfs; document version numbers and network location, prioritizing production clinical environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40412 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy