Critical Vulnerabilities in OFFIS DCMTK Toolkit Threaten Healthcare Systems
CISA has identified multiple critical vulnerabilities in OFFIS DCMTK Toolkit versions prior to 3.7.0, including path traversal and memory leaks, that could allow attackers to compromise sensitive medical data and disrupt operations.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding multiple vulnerabilities discovered in the OFFIS DCMTK Toolkit, a widely used software library for handling medical imaging data. Versions prior to 3.7.0 are affected by several critical flaws, including path traversal, memory leaks, and denial-of-service conditions, which could allow unauthenticated remote attackers to gain unauthorized access, manipulate data, or disrupt critical healthcare services.
The vulnerabilities, detailed in CISA's Industrial Control Systems (ICS) Medical Advisories, pose a significant risk to the healthcare sector, where the DCMTK toolkit is integral to Picture Archiving and Communication Systems (PACS) and other medical imaging workflows. Successful exploitation could enable attackers to write arbitrary files to the system, access sensitive patient information outside of authorized directories, exhaust system memory leading to crashes, or directly crash affected client and server processes.
Among the most severe is CVE-2026-50003, a path traversal vulnerability. This flaw allows a malicious or compromised server to trick a DCMTK client into writing files outside of its designated output directory, potentially overwriting critical system files or injecting malicious content. Another critical vulnerability, CVE-2026-52868, also related to path traversal, permits an unauthenticated attacker to read worklist records from directories outside the intended storage area, potentially crossing departmental data boundaries in multi-area deployments.
Memory exhaustion vulnerabilities, identified as CVE-2026-50254 and CVE-2026-35505, present another significant threat. Attackers can repeatedly send crafted connection requests to trigger memory leaks. In single-process deployments, this can quickly consume all available memory, causing the service to crash and become unresponsive until manually restarted by an operator. This could lead to prolonged downtime and disruption of medical imaging services.
Furthermore, CVE-2026-44628 introduces a denial-of-service condition. An unauthenticated attacker can crash the worklist server with a single crafted query, provided certain conditions like a valid Called AE Title and storage directory are met. This could be used to disrupt the availability of essential medical imaging services.
The CVSS scores for these vulnerabilities are alarmingly high, with CVE-2026-50003 rated at 9.8 CRITICAL under CVSS v3.1 and 9.3 CRITICAL under CVSS v4.0. Other vulnerabilities also carry HIGH severity ratings, underscoring the urgency of addressing these issues.
OFFIS, the maintainer of the DCMTK Toolkit, has been notified and has provided fixes. These fixes are available in the latest commits on the project's GitHub repository, with users strongly recommended to update to the latest available release. The advisory emphasizes that while a fix is available, organizations must proactively apply these updates to protect their systems and patient data from exploitation.
Given the widespread use of DCMTK in healthcare infrastructure worldwide, these vulnerabilities represent a critical threat. Healthcare organizations are urged to review their DCMTK installations, prioritize patching, and implement robust security monitoring to detect and respond to any potential exploitation attempts.