Heap-based Buffer Overflow in OFFIS DCMTK Product
CVE-2026-12805

5.3MEDIUM

Key Information:

Vendor: Offis
Status: Dcmtk
Vendor: CVE Published:; 21 June 2026

What is CVE-2026-12805?

A security vulnerability has been identified in the OFFIS DCMTK, specifically in the XMLNode::parseFile function located in the library ofstd/libsrc/ofxml.cc. This issue could be exploited to create a heap-based buffer overflow, which allows attackers to manipulate data remotely. This vulnerability has been made public, raising concerns for users who have versions up to 3.7.0 of the product. Users are strongly advised to apply the provided patch (commit ID 1d4b3815c0987840a983160bfc671fef63a3105b) to mitigate any potential risks.

Affected Version(s)

DCMTK 3.0

DCMTK 3.1

DCMTK 3.2

References

https://vuldb.com/vuln/372599

vdb-entrytechnical-description

https://vuldb.com/vuln/372599/cti

signaturepermissions-required

https://vuldb.com/cve/CVE-2026-12805

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 21, 2026
Vulnerability Reserved
Jun 21, 2026

Credit

FaboHerrrera (VulDB User)

VulDB CNA Team

CVE-2026-12805 Data

JSON