[Debian-med-packaging] Bug#1141411: dcmtk: CVE-2026-50003 CVE-2026-50254 CVE-2026-35505 CVE-2026-52868 CVE-2026-44628
Salvatore Bonaccorso
carnil at debian.org
Sat Jul 4 08:31:45 BST 2026
Source: dcmtk
Version: 3.7.0+really3.7.0-6
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerabilities were published for dcmtk.
I still filled this as RC level, but I'm unsure if they really would
warrant a security advisory, in particular the critical rated one
needs to connect to a malicious DICOM server.
CVE-2026-50003[0]:
| A malicious or compromised server can make a DCMTK client using bit-
| preserving C-GET storage mode write files outside the chosen output
| directory, using both relative (../) paths and absolute paths.
CVE-2026-50254[1]:
| An unauthenticated remote attacker can repeatedly send a single
| crafted connection request to leak memory. Against storescp in its
| default single-process mode, memory grows quickly and the service is
| eventually killed, after which it stops accepting connections until
| an operator restarts it.
CVE-2026-35505[2]:
| An unauthenticated remote attacker can repeatedly send crafted
| connection requests to leak memory. In single-process deployments
| the memory grows until the service is killed and the port stops
| responding until restart.
CVE-2026-52868[3]:
| An unauthenticated attacker can read worklist records from a
| directory outside the intended per-AE worklist storage area. In a
| multi-area deployment, this can cross departmental or clinic data
| separation.
CVE-2026-44628[4]:
| An unauthenticated attacker can crash the worklist server with a
| single crafted query when the server has a valid Called AE Title /
| storage directory, the expected lockfile, and at least one matching
| worklist record.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-50003
https://www.cve.org/CVERecord?id=CVE-2026-50003
[1] https://security-tracker.debian.org/tracker/CVE-2026-50254
https://www.cve.org/CVERecord?id=CVE-2026-50254
[2] https://security-tracker.debian.org/tracker/CVE-2026-35505
https://www.cve.org/CVERecord?id=CVE-2026-35505
[3] https://security-tracker.debian.org/tracker/CVE-2026-52868
https://www.cve.org/CVERecord?id=CVE-2026-52868
[4] https://security-tracker.debian.org/tracker/CVE-2026-44628
https://www.cve.org/CVERecord?id=CVE-2026-44628
[5] https://www.openwall.com/lists/oss-security/2026/07/01/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Debian-med-packaging
mailing list