25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Security Researcher Identifies Quintet of Bugs in Toolkit Used in DICOM Medical Imaging Software

A quintet of vulnerabilities has been identified in a DICOM toolkit – OFFIS DCMTK – that is extensively used in medical imaging software. DICOM (Digital Imaging and Communications in Medicine) is the universal technical standard used to store, transmit, print, and display medical imaging data and is used by virtually all medical imaging devices. Since the toolkit is used in many medical imaging software solutions, the vulnerabilities are significant.

Successful exploitation of the vulnerabilities could expose patient information, disrupt DICOM storage or worklist services, exhaust service memory, crash imaging services, or cause DCMTK-based clients to write files outside the intended output directory. The vulnerabilities were identified by independent security researcher Abhinav Agarwal, who reported them to the U.S. Cybersecurity and Infrastructure Agency (CISA) and the vendor in May 2026. Agarwal identified the vulnerabilities using standard subscriptions to Claude and ChatGPT, then manually reviewed and confirmed the findings.

One of the vulnerabilities is rated critical with a CVSS v 3.1 base score of 9.8 (critical), and the other four vulnerabilities are rated high severity, with CVSS base scores ranging from 7.5 to 8.2 (v4.0: 8.7 to 8.8). CISA published a security advisory about the vulnerabilities on June 30, 2026.

The vulnerabilities affect OFFIS DCMTK versions prior to v3.7.0 and are tracked under the following CVEs:

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

CVE Severity CVSS v3.1 CVSS v4.0 Vulnerability
CVE-2026-50003 Critical 9.8 9.3 Improper limitation of a pathname to a restricted directory (path traversal)
CVE-2026-52868 High 8.2 8.8 Improper limitation of a pathname to a restricted directory (path traversal)
CVE-2026-50254 High 7.5 8.7 Missing release of memory after effective lifetime
CVE-2026-35505 High 7.5 8.7 Missing release of memory after effective lifetime

 

CVE-2026-44628 High 7.5 8.7 Access of resource using incompatible type (Type confusion)

According to CISA, the maintainer of the toolkit was informed about the vulnerabilities and has issued a fix; however, Agarwal contacted The HIPAA Journal to warn that the vendor has applied the fix upstream in the master branch, which means downstream libraries and operators will be unable to release with the fix to upgrade to it. Users will need a fixed release or a vendor-provided update path.

One of the problems with vulnerabilities in DICOM toolkits is that many end users may be using DICOM software with known, disclosed vulnerabilities and be unaware that their software is vulnerable, unless they are provided with a Software Bill of Materials (SBoM) and routinely check for vulnerabilities in all components. Agarwal suggested that healthcare entities should ask their imaging vendors whether DCMTK is present, what versions are used, whether the CISA advisories apply, and when patched builds will ship.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist