DCMTK

Received by email from the IN-CYPHER OSS Security Team (2026-03-09):

Subject: IC-DCMTK-0002: Double-Free in DcmJSONReader via decodeBase64()
Version: DCMTK master 418274445 (DCMTK-3.7.0+64)
CWE: CWE-415 (Double Free)

This report details a double-free vulnerability in
the JSON DICOM reader's inlineBinary processing path. When
OFStandard::decodeBase64() receives invalid base64 input containing
fewer than 4 valid characters, it internally frees the allocated output
buffer at ofstd.cc:1892 but does not nullify the pointer. The calling
code in parseElement() at dcjsonrd.cc:752 then unconditionally executes
delete[] data, freeing the same memory a second time. A 43-byte JSON
input with a single-character base64 value triggers this heap
corruption.

Please find the detailed report, proof-of-concept, and sanitizer output
in the attachments.