Description
vtk vtk-dicom vtkDICOMItem::NewDataElement heap-based buffer overflow vulnerability
Published: 2026-06-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap‑based buffer overflow in the vtk-dicom library, triggered when the function vtkDICOMItem::NewDataElement processes a DICOM data element that is larger than the buffer allocated for it. The overflow can corrupt memory and allows an attacker to execute arbitrary code in the context of the running process. This flaw is classified as CWE‑129 and can lead to full privilege escalation if the process has elevated rights.

Affected Systems

The affected product is vtk‑dicom from the VTK project. No specific product version numbers are listed in the CNA data. The vulnerability applies to any build of vtk‑dicom that contains the unpatched vtkDICOMItem::NewDataElement routine.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been observed. However, the data overflow could be exploited by an attacker who can supply crafted DICOM data to a running vtk‑dicom instance, making the attack vector likely network‑based. The absence of a listed KEV entry does not diminish the risk; during a security assessment the outlook is that knowledgeable adversaries could leverage this flaw to take control of the affected system.

Generated by OpenCVE AI on June 25, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest vtk‑dicom release that incorporates a fix for the heap buffer overflow.
  • If an update is not immediately possible, isolate the voxel application and block external traffic that could deliver untrusted DICOM files; consider placing the service behind a firewall or network segmentation.
  • Whenever possible, replace legacy DICOM processing with a validated third‑party library or restrict the application to only internally trusted data sources.

Generated by OpenCVE AI on June 25, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
First Time appeared Vtk
Vtk vtk
Vendors & Products Vtk
Vtk vtk

Thu, 25 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title Heap-Based Buffer Overflow in vtk-dicom vtkDICOMItem::NewDataElement

Thu, 25 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description vtk vtk-dicom vtkDICOMItem::NewDataElement heap-based buffer overflow vulnerability
Weaknesses CWE-129
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Vtk Vtk
cve-icon MITRE

Status: PUBLISHED

Assigner: talos

Published:

Updated: 2026-06-26T13:36:07.289Z

Reserved: 2026-02-05T20:01:55.285Z

Link: CVE-2026-22879

cve-icon Vulnrichment

Updated: 2026-06-25T23:29:39.650Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T03:15:16Z

Weaknesses
  • CWE-129

    Improper Validation of Array Index