DCMTK

Received by email from the IN-CYPHER OSS Security Team (2026-03-24):

Subject: IC-DCMTK-0009 Uninitialized Memory Read in JSMN Token Array
Version: DCMTK master 418274445 (DCMTK-3.7.0+64)
CWE: CWE-908 (Use of Uninitialized Resource)

This report describes a uninitialized memory read in the JSON DICOM reader.
The reserveTokens() function allocates tokenNum+1 JSMN tokens but the memset
at dcjsonrd.cc:200 only initializes the first tokenNum elements. While the
sentinel token's start, end, and size fields are explicitly set, the type
field is left containing heap garbage. When malformed JSON causes the token
pointer to advance into the sentinel position, the uninitialized type field
is read in a switch statement, causing undefined behavior. UBSan confirms
the issue, reporting invalid enum values. A 40-byte PoC triggers this bug.

Please find the detailed report, proof-of-concept, and sanitizer output
in the attachments.