Description
Sante DICOM Viewer Pro DCM File Parsing Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante DICOM Viewer Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of DCM files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28129.
Published: 2026-02-20
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a classic buffer overflow in the DCM file parser that allows a remote attacker to execute arbitrary code in the context of the running process. Because the input length is not validated before copying, an attacker can craft a malicious file and trigger the overflow, leading to full remote code execution.

Affected Systems

The flaw affects all installations of Sante DICOM Viewer Pro. The product name is Sante DICOM Viewer Pro, but the CVE data does not specify vulnerable versions, so all supported releases should be considered at risk until a vendor update is released.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, while the EPSS score of less than 1% suggests low probability of widespread exploitation at present. Nevertheless, the vulnerability is not listed in the CISA KEV catalog, and exploitation requires user interaction: the target must open a malicious DCM file or visit a malicious page that triggers the parser. Once exploited, the attacker can run arbitrary code with the privileges of the current process.

Generated by OpenCVE AI on April 18, 2026 at 11:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or upgrade to the most recent release that fixes the buffer‑overflow issue (CWE‑120).
  • If a patch is not yet available, enforce strict input validation by verifying the file size and length fields before copying data into buffers to prevent buffer overflows (CWE‑120).
  • Disable or restrict the ability to open untrusted DCM files, or sandbox the application to contain any potential exploit (CWE‑120 mitigation).

Generated by OpenCVE AI on April 18, 2026 at 11:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Santesoft
Santesoft dicom Viewer Pro
CPEs cpe:2.3:a:santesoft:dicom_viewer_pro:*:*:*:*:*:*:*:*
Vendors & Products Santesoft
Santesoft dicom Viewer Pro

Tue, 24 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Sante
Sante dicom Viewer Pro
Vendors & Products Sante
Sante dicom Viewer Pro

Fri, 20 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description Sante DICOM Viewer Pro DCM File Parsing Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante DICOM Viewer Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DCM files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28129.
Title Sante DICOM Viewer Pro DCM File Parsing Buffer Overflow Remote Code Execution Vulnerability
Weaknesses CWE-120
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Sante Dicom Viewer Pro
Santesoft Dicom Viewer Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-02-24T14:56:03.492Z

Reserved: 2026-02-06T01:10:06.683Z

Link: CVE-2026-2034

cve-icon Vulnrichment

Updated: 2026-02-24T14:55:58.456Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T23:16:03.233

Modified: 2026-02-26T02:29:30.250

Link: CVE-2026-2034

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:30:44Z

Weaknesses