Security Researcher Identifies Quintet of Bugs in Toolkit Used in DICOM Medical Imaging Software
A quintet of vulnerabilities has been identified in a DICOM toolkit – OFFIS DCMTK – that is extensively used in medical imaging software. DICOM (Digital Imaging and Communications in Medicine) is the universal technical standard used to store, transmit, print, and display medical imaging data and is used by virtually all medical imaging devices. Since the toolkit is used in many medical imaging software solutions, the vulnerabilities are significant.
Successful exploitation of the vulnerabilities could expose patient information, disrupt DICOM storage or worklist services, exhaust service memory, crash imaging services, or cause DCMTK-based clients to write files outside the intended output directory. The vulnerabilities were identified by independent security researcher Abhinav Agarwal, who reported them to the U.S. Cybersecurity and Infrastructure Agency (CISA) and the vendor in May 2026. Agarwal identified the vulnerabilities using standard subscriptions to Claude and ChatGPT, then manually reviewed and confirmed the findings.
One of the vulnerabilities is rated critical with a CVSS v 3.1 base score of 9.8 (critical), and the other four vulnerabilities are rated high severity, with CVSS base scores ranging from 7.5 to 8.2 (v4.0: 8.7 to 8.8). CISA published a security advisory about the vulnerabilities on June 30, 2026.
The vulnerabilities affect OFFIS DCMTK versions prior to v3.7.0 and are tracked under the following CVEs:
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
| CVE | Severity | CVSS v3.1 | CVSS v4.0 | Vulnerability |
| CVE-2026-50003 | Critical | 9.8 | 9.3 | Improper limitation of a pathname to a restricted directory (path traversal) |
| CVE-2026-52868 | High | 8.2 | 8.8 | Improper limitation of a pathname to a restricted directory (path traversal) |
| CVE-2026-50254 | High | 7.5 | 8.7 | Missing release of memory after effective lifetime |
| CVE-2026-35505 | High | 7.5 | 8.7 | Missing release of memory after effective lifetime
|
| CVE-2026-44628 | High | 7.5 | 8.7 | Access of resource using incompatible type (Type confusion) |
According to CISA, the maintainer of the toolkit was informed about the vulnerabilities and has issued a fix; however, Agarwal contacted The HIPAA Journal to warn that the vendor has applied the fix upstream in the master branch, which means downstream libraries and operators will be unable to release with the fix to upgrade to it. Users will need a fixed release or a vendor-provided update path.
One of the problems with vulnerabilities in DICOM toolkits is that many end users may be using DICOM software with known, disclosed vulnerabilities and be unaware that their software is vulnerable, unless they are provided with a Software Bill of Materials (SBoM) and routinely check for vulnerabilities in all components. Agarwal suggested that healthcare entities should ask their imaging vendors whether DCMTK is present, what versions are used, whether the CISA advisories apply, and when patched builds will ship.


