Description
A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected element is the function XMLNode::parseFile in the library ofstd/libsrc/ofxml.cc. Executing a manipulation can lead to heap-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. This patch is called 1d4b3815c0987840a983160bfc671fef63a3105b. It is best practice to apply a patch to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Published: 2026-06-21
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow occurs in the XMLNode::parseFile function of the OFFIS DCMTK library, allowing an attacker to corrupt memory on the heap. The vulnerability falls under memory management weaknesses (CWE‑119, CWE‑122) and can enable arbitrary code execution or denial of service when the function processes an attacker‑controlled XML file.

Affected Systems

The flaw affects OFFIS DCMTK versions up to 3.7.0. These libraries are commonly embedded in medical imaging and DICOM handling applications that may read XML files from external sources (based on typical use cases).

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. However, the issue can be exploited remotely, and a published exploit exists, elevating the real‑world risk beyond the CVSS measure. Immediate patching is strongly advised to prevent potential exploitation.

Generated by OpenCVE AI on June 21, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch associated with commit 1d4b3815c0987840a983160bfc671fef63a3105b to upgrade DCMTK beyond version 3.7.0.
  • Configure the application to avoid parsing untrusted or external XML files, or restrict network access to services that invoke the parseFile function.
  • Set up monitoring to detect anomalous XML parsing attempts or memory usage spikes, and investigate any such events promptly.

Generated by OpenCVE AI on June 21, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected element is the function XMLNode::parseFile in the library ofstd/libsrc/ofxml.cc. Executing a manipulation can lead to heap-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. This patch is called 1d4b3815c0987840a983160bfc671fef63a3105b. It is best practice to apply a patch to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Title OFFIS DCMTK ofxml.cc parseFile heap-based overflow
First Time appeared Offis
Offis dcmtk
Weaknesses CWE-119
CWE-122
CPEs cpe:2.3:a:offis:dcmtk:*:*:*:*:*:*:*:*
Vendors & Products Offis
Offis dcmtk
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Offis Dcmtk
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-21T19:15:07.079Z

Reserved: 2026-06-21T04:12:52.334Z

Link: CVE-2026-12805

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-21T21:00:08Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-122

    Heap-based Buffer Overflow