Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote, unauthenticated, low-complexity connection request with no user interaction yields a memory-leak DoS, so AV:N/AC:L/PR:N/UI:N with availability-only impact A:H and C:N/I:N.
Primary rating from Vendor (icscert).
CVSS VectorVendor: icscert
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An unauthenticated remote attacker can repeatedly send a single crafted connection request to leak memory. Against storescp in its default single-process mode, memory grows quickly and the service is eventually killed, after which it stops accepting connections until an operator restarts it.
AnalysisAI
Denial of service in OFFIS DCMTK's storescp DICOM receiver allows an unauthenticated remote attacker to exhaust process memory by repeatedly sending a single crafted connection request (CWE-401 memory leak), eventually crashing the service so it stops accepting connections until an operator manually restarts it. In the default single-process deployment mode the leak accumulates per connection and brings the listener down quickly. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target run DCMTK's storescp in its default single-process mode, where leaked memory accumulates in the long-lived listener until the service is OOM-killed; the attacker only needs network reachability to the storescp listening port and sends a single crafted connection request repeatedly. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are internally consistent and point to a genuine but availability-only risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to a hospital's DICOM ingestion VLAN repeatedly opens crafted associations to the storescp port; with no authentication required and low complexity, each request leaks memory until the single-process receiver is OOM-killed and stops accepting studies. Imaging modalities can no longer push images to the receiver until an operator restarts it, disrupting clinical workflow. … |
| Remediation | Upgrade DCMTK to the fixed release published by OFFIS on the project's GitHub releases page (https://github.com/DCMTK/dcmtk/releases/tag/latest); the reference points to a 'latest' release tag rather than a pinned version number, so Patch available per vendor advisory - confirm the exact patched version against CISA ICSMA-26-181-01 before deploying, as it is not independently confirmed from the provided data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify and inventory all DCMTK storescp deployments; isolate to network segments with restricted access; enable connection-rate limiting at ingress points. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Dcmtk Toolkit
View allPath traversal in OFFIS DCMTK (DICOM Toolkit) lets a malicious or compromised DICOM server write attacker-controlled fil
Path traversal in OFFIS DCMTK DICOM toolkit lets an unauthenticated network attacker read DICOM Modality Worklist record
Denial of service in OFFIS DCMTK's DICOM worklist server (wlmscpfs) allows a remote, unauthenticated attacker to crash t
Denial of service in OFFIS DCMTK DICOM toolkit allows an unauthenticated remote attacker to exhaust memory by repeatedly
Same weakness CWE-401 – Memory Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40421
GHSA-69cc-m82h-x8rm