Description
An unauthenticated remote attacker can repeatedly send crafted connection requests to leak memory. In single-process deployments the memory grows until the service is killed and the port stops responding until restart.
Published: 2026-06-30
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The OFFIS DCMTK Toolkit contains a flaw that prevents allocated memory from being released after its intended lifetime, enabling a remote attacker to craft successive connection requests that leak memory. The aggregation of leaked memory eventually exhausts the system’s memory pool, causing the service to crash and the port to become unresponsive until the service is restarted. This issue is a high‑severity vulnerability that disrupts availability, as indicated by the CVSS score provided.

Affected Systems

All installations of the OFFIS DICOM:DCMTK Toolkit are affected, regardless of the deployment model. The flaw becomes critical in single‑process deployments where the memory pool is shared across all connections; no specific product version is listed, so any released build before the publisher’s latest commit is considered vulnerable.

Risk and Exploitability

The vulnerability is exploitable by an unauthenticated remote attacker who can initiate connection sequences without authentication, implying that network exposure to the DCMTK service provides the attack vector. The high CVSS score of 8.7 underscores significant risk, while the lack of an EPSS value does not diminish the likelihood of exploitation in environments with exposed service ports. The vulnerability is not yet included in the CISA KEV catalog. If an attacker succeeds, the denial of service can go on until a system administrator restarts the service, after which a new memory leak cycle can begin.

Generated by OpenCVE AI on June 30, 2026 at 22:20 UTC.

Remediation

Vendor Solution

The maintainer was notified of these vulnerabilities and has provided a fix. The fix is included in the latest commits and can be obtained in the following snapshot: https://github.com/DCMTK/dcmtk/releases/tag/latest

OpenCVE Recommended Actions

  • Update the toolkit to the latest release available from the official GitHub repository, which includes the vendor‑provided fix.
  • Restart the DCMTK service to clear any accumulated memory before applying the update, ensuring the service runs with a clean state.
  • Monitor the service’s memory consumption and enforce limits on concurrent connections to mitigate the impact until a patched version is deployed.

Generated by OpenCVE AI on June 30, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description An unauthenticated remote attacker can repeatedly send crafted connection requests to leak memory. In single-process deployments the memory grows until the service is killed and the port stops responding until restart.
Title OFFIS DCMTK Toolkit Missing Release of Memory after Effective Lifetime
Weaknesses CWE-401
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-30T21:09:46.797Z

Reserved: 2026-06-22T17:03:25.976Z

Link: CVE-2026-35505

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T22:30:06Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime