Stack-based Buffer Overflow in DCMTK Affected by StorageQuota Manipulation
CVE-2020-36855

4.8MEDIUM

Key Information:

Vendor

DCMTK

Status
Dcmtk
Vendor
CVE Published:
21 October 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2020-36855?

A security vulnerability exists in DCMTK versions up to 3.6.5, specifically in the parseQuota function of the dcmqrscp component. This vulnerability arises from improper handling of the StorageQuota argument, which may lead to a stack-based buffer overflow. An attacker with local access can exploit this vulnerability, making it essential for users to upgrade to version 3.6.6 or later to mitigate the risk. The patch identifier is 0fef9f02e, and it is strongly advised to apply this update to secure your systems against potential exploits.

Affected Version(s)

DCMTK 3.6.0

DCMTK 3.6.1

DCMTK 3.6.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-36855 - Proof of Concept

References

https://vuldb.com/?id.329028
vdb-entrytechnical-description
https://vuldb.com/?ctiid.329028
signaturepermissions-required
https://vuldb.com/?submit.673137
third-party-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

zh_vul (VulDB User)
JSON
.
CVE-2020-36855 : Stack-based Buffer Overflow in DCMTK Affected by StorageQuota Manipulation