Bug #1224: xml2dcm parseDataSet / parseSequence mutual recursion - DCMTK - OFFIS DCMTK and DICOM Projects

Actions

Copy link

Bug #1224

closed

xml2dcm parseDataSet / parseSequence mutual recursion

Added by Marco Eichelberg 3 days ago. Updated about 4 hours ago.

Status:

Closed

Priority:

Normal

Assignee:

Marco Eichelberg

Category:

Library and Apps

Target version:

Start date:

2026-06-16

Due date:

% Done:

100%

Estimated time:

1:00 h

Module:

dcndata

Operating System:

Compiler:

Description

DcmXMLParseHelper::parseDataSet() at xml2dcm.cc:618 calls parseSequence() for every <sequence> element. parseSequence() at xml2dcm.cc:457 calls parseDataSet() for every `<item>` element. This mutual recursion has no depth limit. At 15,000 nested levels the default 8 MB stack is exhausted.

Reported 2026-05-19 by Arjun Basnet, Senior Security Researcher, Securin.

This issue has been registered as CVE-2026-44036.

Files

poc_007_deep.xml (879 KB) poc_007_deep.xml

PoC file that causes a segmentation fault when processed with xml2dcm

Marco Eichelberg, 2026-06-16 18:11