Activity
From 2026-05-28 to 2026-06-26
2026-06-26
-
07:57 Bug #1233 (Closed): Access-control gap in dcmqrscp
-
07:56 Bug #1227 (Closed): Fix potential heap overflow with DNS resolve result
-
07:56 Bug #1229 (Closed): Heap Overflow in DB_DuplicateElement (dcmqrdb)
-
07:56 Bug #1228 (Closed): Heap overflow when computing PDU length + safety margin
-
07:56 Bug #1230 (Closed): Potential DoS via mutlipe User Identity Negotiation sub-items
-
07:56 Bug #1231 (Closed): Out-of-bounds read in OFStandard::sanitizeFilename()
-
07:55 Bug #1232 (Closed): Potential NUL-termination missing in use of strncpy
-
07:55 Bug #1234 (Closed): Remote unauthenticated memory-leak DoS in parseAssociate() presentation-context error path
-
07:55 Bug #1235 (Closed): Stack buffer overflow in dcmqrscp QR Level handling
2026-06-22
-
22:22 Bug #1236 (Closed): Out of bounds read in dcmqrdb's deleteOldestImages() method
- As reported by Yuxiao Yan:
|_. File |@dcmqrdb/libsrc/dcmqrdbi.cc@ |
|_. Function |@DcmQueryRetrieveIndexDatabaseH... -
20:52 Bug #1235: Stack buffer overflow in dcmqrscp QR Level handling
- Fixed with commit 34fa53.
-
20:50 Bug #1235 (Closed): Stack buffer overflow in dcmqrscp QR Level handling
- Stack overflow as reported by Yuxiao Yan:
h1. Vulnerability Summary
In `DcmQueryRetrieveIndexDatabaseHandle::... -
20:46 Bug #1234: Remote unauthenticated memory-leak DoS in parseAssociate() presentation-context error path
- Closed with commit 688a16.
-
15:18 Bug #1234 (Closed): Remote unauthenticated memory-leak DoS in parseAssociate() presentation-context error path
- As reported by Yuxiao Yan:
== Summary ==
When parseAssociate() (dcmnet/libsrc/dulparse.cc) fails while pars... -
15:14 Bug #1233: Access-control gap in dcmqrscp
- Closed by commit 696abc.
-
15:03 Bug #1233 (Closed): Access-control gap in dcmqrscp
- As reported by Yuxiao Yan:
Tested version
--------------
- Upstream git, commit 5708ba6c (cloned 2026-06-11)....
2026-06-19
-
17:26 Bug #1232: Potential NUL-termination missing in use of strncpy
- Fixed in commit 782c652.
-
17:20 Bug #1232 (Closed): Potential NUL-termination missing in use of strncpy
- As reported by Arash Ale Ebrahim:
Summary
-------
The internal getString() helper used by every DIMSE command pa... -
17:26 Bug #1231: Out-of-bounds read in OFStandard::sanitizeFilename()
- Fixed in commit e1f914 (and older commit e3878d).
-
17:17 Bug #1231 (Closed): Out-of-bounds read in OFStandard::sanitizeFilename()
- As reported by Arash Ale Ebrahim:
The OFString overload of sanitizeFilename iterates by length() — not until NUL —... -
17:24 Bug #1230: Potential DoS via mutlipe User Identity Negotiation sub-items
- Fixed with commit e61270.
-
17:11 Bug #1230 (Closed): Potential DoS via mutlipe User Identity Negotiation sub-items
- As reported by Arash Ale Ebrahim:
The DUL parser allows an A-ASSOCIATE-RQ PDU to contain multiple User Identity N... -
16:39 Bug #1226 (Closed): Unbound recursion in DSRDocumentTreeNode::readXML()
-
14:25 Bug #1228: Heap overflow when computing PDU length + safety margin
- Fixed with commit 537815.
-
13:09 Bug #1228 (Closed): Heap overflow when computing PDU length + safety margin
- Fix potential heap overflow that could occur if the safety margin of 100 bytes added to the expected PDU length goes ...
-
14:23 Bug #1229: Heap Overflow in DB_DuplicateElement (dcmqrdb)
- Fixed with commit b2d33e.
-
13:16 Bug #1229 (Closed): Heap Overflow in DB_DuplicateElement (dcmqrdb)
- Using an int instead of size_t for computing the size of a buffer can make the int overflow and therefore create a mu...
-
14:23 Bug #1227: Fix potential heap overflow with DNS resolve result
- Fixed with commit 63b0ba.
-
12:59 Bug #1227 (Closed): Fix potential heap overflow with DNS resolve result
- Bug reported by Dominik Blain:
An attacker controlling a PTR DNS record can overflow a 260-byte stack buffer on ev... -
10:29 Bug #1082 (Closed): Possible memory leak in DcmDataset copy constructor
2026-06-17
-
18:20 Bug #1221: Out-of-bounds read in bundled IJG JPEG Huffman decoder
- This issue was also reported on 2026-05-19 by Arjun Basnet, Senior Security Researcher, Securin. It has been register...
-
17:53 Bug #1226: Unbound recursion in DSRDocumentTreeNode::readXML()
- Closed by commit #9057782f9.
-
17:51 Bug #1226 (Closed): Unbound recursion in DSRDocumentTreeNode::readXML()
- Currently, the XML to DICOM SR parser relies on a depth gate in libxml2 to prevent unbound recursion when reading a m...
-
17:46 Bug #1224 (Closed): xml2dcm parseDataSet / parseSequence mutual recursion
-
16:52 Bug #1225 (Closed): json2dcm readValue JSON SQ unbounded recursion
- Closed by commit #cf955e64c.
2026-06-16
-
18:25 Bug #1225: json2dcm readValue JSON SQ unbounded recursion
- Reported 2026-05-19 by Arjun Basnet, Senior Security Researcher, Securin.
-
18:24 Bug #1225: json2dcm readValue JSON SQ unbounded recursion
- This issue has been registered as CVE-2026-44037.
-
18:24 Bug #1225 (Closed): json2dcm readValue JSON SQ unbounded recursion
- @DcmJsonReaderBase::readValue()@ recurses via @DcmJsonReaderBase::parseSequence()@ on SQ JSON value items with no dep...
-
18:15 Bug #1224: xml2dcm parseDataSet / parseSequence mutual recursion
- Closed by commit #87f256d73.
-
18:12 Bug #1224 (Closed): xml2dcm parseDataSet / parseSequence mutual recursion
- @DcmXMLParseHelper::parseDataSet()@ at xml2dcm.cc:618 calls @parseSequence()@ for every @<sequence>@ element. @parseS...
2026-06-12
-
11:59 Bug #1221 (Closed): Out-of-bounds read in bundled IJG JPEG Huffman decoder
-
11:59 Bug #1222 (Closed): Out-of-bounds read in CharLS JPEG-LS EndScan()
-
11:59 Bug #1223 (Closed): Out-of-bounds read in CharLS JPEG-LS QuantizeGratient()
2026-06-11
-
07:40 Bug #1223: Out-of-bounds read in CharLS JPEG-LS QuantizeGratient()
- Fixed with commit b6691c7a0fdfd261c20c2509c2ac16966bd37763
-
07:40 Bug #1222: Out-of-bounds read in CharLS JPEG-LS EndScan()
- Fixed with commit b818c19720bd3c5c273f7c0578fef3990333af22
-
07:39 Bug #1221: Out-of-bounds read in bundled IJG JPEG Huffman decoder
- Fixed with commit d6ae1bc8d5b9ae9c7300013c8c85cc2ea0fd8cf5.
2026-06-10
-
11:16 Bug #1223 (Closed): Out-of-bounds read in CharLS JPEG-LS QuantizeGratient()
- DCMTK's bundled CharLS JPEG-LS library (dcmjpls/libcharls) performs an out-of-bounds heap read in its near-lossless d...
-
11:15 Bug #1222 (Closed): Out-of-bounds read in CharLS JPEG-LS EndScan()
- DCMTK's bundled CharLS JPEG-LS library (dcmjpls/libcharls) performs an out-of-bounds heap read when finishing decode ...
-
11:13 Bug #1221 (Closed): Out-of-bounds read in bundled IJG JPEG Huffman decoder
- DCMTK's bundled IJG JPEG library (dcmjpeg/libijg8, and the identical libijg12/libijg16 copies) contains a Huffman-tab...
2026-06-05
-
18:32 Bug #1205 (Closed): Building of a single shared library fails
- Closed by commit #37bbe0f81.
-
11:08 Feature #1220 (New): Use of DcmDate/Time/DateTime instead of OFDate/Time/DateTime
- In various places in DCMTK the classes OFDate/Time/DateTime are used to retrieve the current data or time in DICOM fo...
2026-05-31
-
11:28 Bug #1219 (Closed): Inconsistent handling of uncompressed icon images
- Closed by commit #d526cbb08.
-
08:28 Bug #1219 (Closed): Inconsistent handling of uncompressed icon images
- When loading a compressed DICOM image file that contains an Icon Image Sequence with uncompressed pixel data (which i...
2026-05-29
-
18:06 Bug #1217 (Closed): AE_6/AE_3 error-return paths skip heap cleanup
-
18:06 Bug #1217: AE_6/AE_3 error-return paths skip heap cleanup
- A second leak was discovered during fixing the orginally reported one.
translatePresentationContextList() also now... -
14:40 Bug #1218: wlmscpfs unchecked DcmElement* to DcmSequenceOfItems* cast
- Bug reported by Abhinav Agarwal.
-
14:31 Bug #1218 (Closed): wlmscpfs unchecked DcmElement* to DcmSequenceOfItems* cast
-
14:29 Bug #1218: wlmscpfs unchecked DcmElement* to DcmSequenceOfItems* cast
- Fixed in commit f4e007468.
-
14:25 Bug #1216 (Closed): destroyUserInformationLists() leaks ExtNeg sub-items
- Fixed with commit 23f181.
Also available in: Atom