Remote Memory Leak in DCMTK Affects Unauthenticated Users
CVE-2026-50254

8.7HIGH

Key Information:

Vendor: Offis Dicom
Status: Dcmtk Toolkit
Vendor: CVE Published:; 30 June 2026

🔔 Create Offis Dicom Vulnerability Alert

What is CVE-2026-50254?

A memory leak vulnerability exists in the DCMTK 'storescp' service, where an unauthenticated remote attacker can repeatedly send a maliciously crafted connection request to exploit the service. This results in unbounded memory usage that causes the service to crash, ultimately preventing it from accepting new connections until manually restarted by an operator. This issue highlights the importance of securing exposed services against potential denial-of-service attacks via crafted requests.

Affected Version(s)

DCMTK Toolkit 0 <= 3.7.0

References

https://github.com/DCMTK/dcmtk/releases/tag/latest

https://www.cisa.gov/news-events/ics-medical-advisories/i...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 22, 2026

Credit

Abhinav Agarwal reported this vulnerability to CISA.

CVE-2026-50254 Data

JSON