OFFIS DCMTK ofxml.cc parseFile heap-based overflow
Description
A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected element is the function XMLNode::parseFile in the library ofstd/libsrc/ofxml.cc. Executing a manipulation can lead to heap-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. This patch is called 1d4b3815c0987840a983160bfc671fef63a3105b. It is best practice to apply a patch to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=3.7.0
Patches
Vulnerability mechanics
Root cause
"Missing error check on ftell() return value allows heap-buffer-overflow when parsing a FIFO."
Attack vector
An attacker can trigger the bug by providing a FIFO (named pipe) as the input file to `cda2dcm` (or any tool that calls `XMLNode::parseFile()`). The `ftell()` call on a non-seekable FIFO returns -1, which the code fails to reject. This leads to a 3-byte heap allocation followed by an `fread()` of `SIZE_MAX` bytes, causing a heap-buffer-overflow [CWE-122]. The attack is remotely exploitable because the input file can be supplied over the network [ref_id=1].
Affected code
The vulnerability resides in `XMLNode::parseFile()` in `ofstd/libsrc/ofxml.cc` (lines ~1962–1969). When the function is called with a FIFO (named pipe) as input, `ftell()` returns -1, but the code only checks for `l == 0`, not `l <= 0`, allowing a heap-buffer-overflow to proceed [ref_id=1][patch_id=6947854].
What the fix does
The patch changes the condition `if (!l)` to `if (l <= 0)` on line 1964 of `ofstd/libsrc/ofxml.cc` [patch_id=6947854]. This single-character change ensures that when `ftell()` returns -1 (indicating an error on non-seekable files like FIFOs), the function correctly treats the file as empty and returns early, preventing the subsequent heap-buffer-overflow [ref_id=2].
Preconditions
- inputThe attacker must supply a FIFO (named pipe) as the input file to a DCMTK tool that calls XMLNode::parseFile(), such as cda2dcm.
- authNo authentication is required; the attack can be performed remotely by providing the malicious input over the network.
- configThe vulnerable code path is reachable via the documented cda2dcm workflow with the --filetype-cda flag.
Reproduction
Terminal 1 (reader): ``` export DCMDICTPATH=/path/to/dcmtk/dcmdata/data/dicom.dic mkfifo /tmp/exploit.xml ./build-asan/bin/cda2dcm /tmp/exploit.xml out.dcm ```
Terminal 2 (writer, after ~1 second): ``` echo "<ClinicalDocument></ClinicalDocument>" > /tmp/exploit.xml ```
Expected output: `==ERROR: AddressSanitizer: heap-buffer-overflow` [ref_id=1].
Generated on Jun 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.dcmtk.orgmitrepatch
- github.com/DCMTK/dcmtk/commit/1d4b3815c0987840a983160bfc671fef63a3105bmitrepatch
- medium.com/@faboherrera.fabo/dcmtk-vulnerability-report-201afc687790mitrebroken-linkexploit
- vuldb.com/cve/CVE-2026-12805mitrethird-party-advisory
- vuldb.com/submit/836273mitrethird-party-advisory
- support.dcmtk.org/redmine/issues/1208mitreissue-tracking
- vuldb.com/vuln/372599mitrevdb-entrytechnical-description
- vuldb.com/vuln/372599/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.