Project

General

Profile

Actions
Copy link

Bug #1225

closed

json2dcm readValue JSON SQ unbounded recursion

Added by Marco Eichelberg 3 days ago. Updated about 4 hours ago.

Status:
Closed
Priority:
Normal
Assignee:
Marco Eichelberg
Category:
Library and Apps
Target version:
-
Start date:
2026-06-16
Due date:
% Done:

100%

Estimated time:
1:00 h
Module:
dcmdata
Operating System:
Compiler:

Description

DcmJsonReaderBase::readValue() recurses via DcmJsonReaderBase::parseSequence() on SQ JSON value items with no depth check. At 15,000 nesting levels the 8 MB default stack is exhausted.

Files

poc_008_deep.json (513 KB) poc_008_deep.json PoC file that causes a segmentation fault when processed with json2dcm Marco Eichelberg, 2026-06-16 18:22
Actions
Copy link
 #1

Updated by Marco Eichelberg 3 days ago

This issue has been registered as CVE-2026-44037.

Actions
Copy link
 #2

Updated by Marco Eichelberg 3 days ago

Reported 2026-05-19 by Arjun Basnet, Senior Security Researcher, Securin.

Actions
Copy link
 #3

Updated by Marco Eichelberg 2 days ago

  • Status changed from New to Closed
  • Assignee set to Marco Eichelberg
  • % Done changed from 0 to 100
  • Estimated time set to 1:00 h

Closed by commit #cf955e64c.

Actions
Copy link
 #4

Updated by Marco Eichelberg about 4 hours ago

  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF