Source: dcmtk
Version: 3.7.0+really3.7.0-6
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for dcmtk.

I still filled this as RC level, but I'm unsure if they really would
warrant a security advisory, in particular the critical rated one
needs to connect to a malicious DICOM server.

CVE-2026-50003[0]:
| A malicious or compromised server can make a DCMTK client using bit-
| preserving C-GET storage mode write files outside the chosen output
| directory, using both relative (../) paths and absolute paths.


CVE-2026-50254[1]:
| An unauthenticated remote attacker can repeatedly send a single
| crafted connection request to leak memory. Against storescp in its
| default single-process mode, memory grows quickly and the service is
| eventually killed, after which it stops accepting connections until
| an operator restarts it.


CVE-2026-35505[2]:
| An unauthenticated remote attacker can repeatedly send crafted
| connection requests to leak memory. In single-process deployments
| the memory grows until the service is killed and the port stops
| responding until restart.


CVE-2026-52868[3]:
| An unauthenticated attacker can read worklist records from a
| directory outside the intended per-AE worklist storage area. In a
| multi-area deployment, this can cross departmental or clinic data
| separation.


CVE-2026-44628[4]:
| An unauthenticated attacker can crash the worklist server with a
| single crafted query when the server has a valid Called AE Title /
| storage directory, the expected lockfile, and at least one matching
| worklist record.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-50003
    https://www.cve.org/CVERecord?id=CVE-2026-50003
[1] https://security-tracker.debian.org/tracker/CVE-2026-50254
    https://www.cve.org/CVERecord?id=CVE-2026-50254
[2] https://security-tracker.debian.org/tracker/CVE-2026-35505
    https://www.cve.org/CVERecord?id=CVE-2026-35505
[3] https://security-tracker.debian.org/tracker/CVE-2026-52868
    https://www.cve.org/CVERecord?id=CVE-2026-52868
[4] https://security-tracker.debian.org/tracker/CVE-2026-44628
    https://www.cve.org/CVERecord?id=CVE-2026-44628
[5] https://www.openwall.com/lists/oss-security/2026/07/01/1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to