Medium severity5.3NVD Advisory· Published Oct 21, 2025· Updated Apr 29, 2026

CVE-2020-36855

Description

A security vulnerability has been detected in DCMTK up to 3.6.5. The affected element is the function parseQuota of the component dcmqrscp. The manipulation of the argument StorageQuota leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. Upgrading to version 3.6.6 is sufficient to fix this issue. The identifier of the patch is 0fef9f02e. It is recommended to upgrade the affected component.

Affected products

Dcmtk/Dcmtk
cpe:2.3:a:offis:dcmtk:*:*:*:*:*:*:*:*
Range: <3.6.6

Patches

6cb30bd7fb42

Updated release date in INSTALL file and for autoconf.

https://github.com/dcmtk/dcmtkMichael OnkenJan 14, 2021via osv

commit

4 files changed · +11 −5

config/configure+3 −2 modified

@@ -2846,8 +2846,9 @@ ac_config_headers="$ac_config_headers include/dcmtk/config/osconfig.h"
 
 
 PACKAGE_VERSION_NUMBER=366
-PACKAGE_VERSION_SUFFIX="+"
-PACKAGE_DATE="DEV"
+PACKAGE_VERSION_SUFFIX=""
+PACKAGE_DATE="2021-01-14"
+
 
 cat >>confdefs.h <<_ACEOF
 #define PACKAGE_VERSION_NUMBER ${PACKAGE_VERSION_NUMBER}

config/configure.in+2 −2 modified

@@ -11,8 +11,8 @@ dnl Additional Package Information
 dnl -------------------------------------------------------
 
 PACKAGE_VERSION_NUMBER=366
-PACKAGE_VERSION_SUFFIX="+"
-PACKAGE_DATE="DEV"
+PACKAGE_VERSION_SUFFIX=""
+PACKAGE_DATE="2021-01-14"
 AC_DEFINE_UNQUOTED(PACKAGE_VERSION_NUMBER,${PACKAGE_VERSION_NUMBER},[Define to the version number of this package.])
 AC_DEFINE_UNQUOTED(PACKAGE_VERSION_SUFFIX,"${PACKAGE_VERSION_SUFFIX}",[Define to the version suffix of this package.])
 AC_DEFINE_UNQUOTED(PACKAGE_DATE,"${PACKAGE_DATE}",[Define to the release date of this package.])

docs/CHANGES.366+5 −0 modified

@@ -3,6 +3,11 @@ Release 3.6.6 (Public Minor Release - 2021-01-14)
 
 **** Changes from 2021.01.14 (onken)
 
+- Updated release date in INSTALL file and for autoconf.
+  Affects: INSTALL
+           public/config/configure
+           public/config/configure.in
+
 - Final changes for Release 3.6.6.
   Affects: ANNOUNCE
            CMake/dcmtkPrepare.cmake

INSTALL+1 −1 modified

@@ -988,4 +988,4 @@ Have fun.
 M. Eichelberg, J. Riesmeier, M. Onken, J. Schlamelcher, P. Arizpe Gomez
 DCMTK Development Team, Oldenburg, Germany.
 
-Last revised: 2021-01-06 (Onken)
+Last revised: 2021-01-14 (Onken)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

shimo.im/docs/rp3OMVMDPKtjn0km/nvdExploitThird Party Advisory
shimo.im/docs/rp3OMVMDPKtjn0km/readnvdExploitThird Party Advisory
vuldb.comnvdThird Party AdvisoryVDB Entry
vuldb.comnvdThird Party AdvisoryVDB Entry
vuldb.comnvdPermissions RequiredVDB Entry

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000