oss-sec mailing list archives
OFFIS DCMTK: 5 CISA-coordinated DICOM vulnerabilities
From: Abhinav Agarwal <abhinavagarwal1996 () gmail com>
Date: Tue, 30 Jun 2026 22:09:04 -0700
CISA has published an advisory for five vulnerabilities in OFFIS DCMTK (DICOM Toolkit), affecting DCMTK <= 3.7.0: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-181-01 Fix status: The fixes are in upstream DCMTK master but not any release as of today https://github.com/DCMTK/dcmtk/releases/tag/latest Vulnerabilities and fixes: 1. CVE-2026-50003 - bit-preserving C-GET path traversal - CVSS v3.1: 9.8 Critical Fix: eca9a03dd A victim DCMTK C-GET client connects to a malicious or compromised DICOM server while using bit-preserving storage mode (getscu --bit-preserving / DCMSCU_STORAGE_BIT_PRESERVING). During the C-GET response, the server supplies an affected SOP Instance UID containing path separators or an absolute path. DcmSCU::handleCGETSession() used that value to build the output path without the filename sanitization used by the normal disk-storage path. The result is file creation/truncation outside the selected output directory, limited to paths writable by the client process and to directories that already exist. 2. CVE-2026-50254 - Extended Negotiation memory leak - CVSS v3.1: 7.5 High Fix: 23f181f7a An unauthenticated client repeatedly opens a DICOM association and sends an A-ASSOCIATE-RQ containing many Extended Negotiation items followed by a malformed/truncated Extended Negotiation item. The parser error path frees the list container but not the allocated negotiation items. In storescp default single-process mode, repeated connections cause RSS growth until the process is killed or stops accepting DICOM connections. 3. CVE-2026-35505 - connection error-path memory leaks - CVSS v3.1: 7.5 High Fix: 2312891a8 An unauthenticated client sends an A-ASSOCIATE-RQ where presentation-context structures are parsed and allocated, then a later presentation context triggers a translation failure, for example by containing no transfer syntaxes. The server returns before freeing the parsed PDU graph. Repeating this request leaks memory in single-process services. There is also an analogous SCU-side error path when a long-running DCMTK client parses a malformed A-ASSOCIATE-AC from a rogue server. 4. CVE-2026-52868 - Called AE Title path traversal in wlmscpfs - CVSS v3.1: 8.2 High Fix: e3878daf8 An unauthenticated client connects to wlmscpfs with a Called AE Title containing a short traversal sequence. wlmscpfs used the Called AE Title to construct worklist storage and lockfile paths without a containment check. If the resolved directory exists, has the expected lockfile, and contains matching .wl worklist files, a normal C-FIND query can return records outside the intended per-AE storage area. This is not arbitrary OS file read; disclosure is limited to reachable worklist records within the 16-byte AE Title naming constraint. With non-default --request-file-path logging and AE Title/Patient ID placeholders, the same unsanitized values could also produce a constrained write outside the request-file directory. 5. CVE-2026-44628 - VR-spoofing type confusion in wlmscpfs - CVSS v3.1: 7.5 High Fixes: f4e007468 and 694a0a06a An unauthenticated client negotiates Explicit VR and sends a C-FIND request containing a dictionary sequence tag encoded on the wire with a non-sequence VR. DCMTK constructs a non-sequence object, but wlmscpfs later casts the result to DcmSequenceOfItems without checking the actual type. If the query reaches a valid worklist directory with an expected lockfile and a matching record, the wrong-type use crashes the process. In single-process mode this stops the service; in default fork mode the child crashes and the parent continues serving. Potential exposure includes patient worklist metadata in affected wlmscpfs deployments, file write outside an intended C-GET output directory, and availability loss for DICOM worklist/storage services through crash or OOM. Coordination timeline: 2026-05-11 Reported to OFFIS DCMTK maintainers 2026-05-12 First fix committed upstream 2026-05-14 CERT/CC case opened as VU#470252 2026-05-29 Remaining fixes committed upstream 2026-06-30 CISA advisory published as ICSMA-26-181-01 Mitigation notes: * Apply the upstream fixes or the rolling latest snapshot when possible. * Keep DICOM services on trusted networks only. * For DoS exposure, prefer multi-process/fork mode where available. * Avoid getscu --bit-preserving / DCMSCU_STORAGE_BIT_PRESERVING with untrusted C-GET servers until patched. Additional background: https://www.healthcareinfosecurity.com/dicom-toolkit-bugs-raise-medical-imaging-security-risks-a-32114 Credit: Reported by Abhinav Agarwal.
Current thread:
- OFFIS DCMTK: 5 CISA-coordinated DICOM vulnerabilities Abhinav Agarwal (Jul 01)
