Bug #1191
Updated by Jörg Riesmeier about 2 months ago
Received by email from the IN-CYPHER OSS Security Team (2026-03-09):
> *Subject:* IC-DCMTK-0003: Stack Overflow via Deeply Nested DICOM Sequences
> *Version:* DCMTK master 418274445 (DCMTK-3.7.0+64)
> *CWE:* CWE-674 (Uncontrolled Recursion)
>
> This report describes a stack overflow in the
> binary DICOM parser caused by unbounded mutual recursion between
> DcmSequenceOfItems::read() and DcmItem::read(). A crafted DICOM file
> containing approximately 1,060 levels of nested sequences (using tag
> (0040,A730) Content Sequence) exhausts the call stack, crashing any
> DCMTK-based application that parses the file. The PoC is only ~40 KB and
> affects all DICOM parsing operations including dcmdump, network
> services, and PACS servers. No recursion depth limit exists anywhere in
> the call chain.
>
> Please find the detailed report, proof-of-concept, and sanitizer output
> in the attachments.