Bug #1191
Updated by Jörg Riesmeier about 2 months ago
Received by email from the IN-CYPHER OSS Security Team IG Singapore (2026-03-09): > *Subject:* IC-DCMTK-0003: Stack Overflow via Deeply Nested DICOM Sequences > > This report describes a stack overflow in the > binary DICOM parser caused by unbounded mutual recursion between > DcmSequenceOfItems::read() and DcmItem::read(). A crafted DICOM file > containing approximately 1,060 levels of nested sequences (using tag > (0040,A730) Content Sequence) exhausts the call stack, crashing any > DCMTK-based application that parses the file. The PoC is only ~40 KB and > affects all DICOM parsing operations including dcmdump, network > services, and PACS servers. No recursion depth limit exists anywhere in > the call chain. > > Please find the detailed report, proof-of-concept, and sanitizer output > in the attachments.