A quintet of vulnerabilities has been identified in a DICOM toolkit – OFFIS DCMTK – that is extensively used in medical imaging software. DICOM (Digital Imaging and Communications in Medicine) is the universal technical standard used to store, transmit, print, and display medical imaging data and is used by virtually all medical imaging devices. Since the toolkit is used in many medical imaging software solutions, the vulnerabilities are significant.
Successful exploitation of the vulnerabilities could expose patient information, disrupt DICOM storage or worklist services, exhaust service memory, crash imaging services, or cause DCMTK-based clients to write files outside the intended output directory. The vulnerabilities were identified by independent security researcher Abhinav Agarwal, who reported them to the U.S. Cybersecurity and Infrastructure Agency (CISA) and the vendor in May 2026. Agarwal identified the vulnerabilities using standard subscriptions to Claude and ChatGPT, then manually reviewed and confirmed the findings.
One of the vulnerabilities is rated critical with a CVSS v 3.1 base score of 9.8 (critical), and the other four vulnerabilities are rated high severity, with CVSS base scores ranging from 7.5 to 8.2 (v4.0: 8.7 to 8.8). CISA published a security advisory about the vulnerabilities on June 30, 2026.
The vulnerabilities affect OFFIS DCMTK versions prior to v3.7.0 and are tracked under the following CVEs:
CVE
Severity
CVSS v3.1
CVSS v4.0
Vulnerability
CVE-2026-50003
Critical
9.8
9.3
Improper limitation of a pathname to a restricted directory (path traversal)
CVE-2026-52868
High
8.2
8.8
Improper limitation of a pathname to a restricted directory (path traversal)
CVE-2026-50254
High
7.5
8.7
Missing release of memory after effective lifetime
CVE-2026-35505
High
7.5
8.7
Missing release of memory after effective lifetime
CVE-2026-44628
High
7.5
8.7
Access of resource using incompatible type (Type confusion)
According to CISA, the maintainer of the toolkit was informed about the vulnerabilities and has issued a fix; however, Agarwal contacted The HIPAA Journal to warn that the vendor has applied the fix upstream in the master branch, which means downstream libraries and operators will be unable to release with the fix to upgrade to it. Users will need a fixed release or a vendor-provided update path.
One of the problems with vulnerabilities in DICOM toolkits is that many end users may be using DICOM software with known, disclosed vulnerabilities and be unaware that their software is vulnerable, unless they are provided with a Software Bill of Materials (SBoM) and routinely check for vulnerabilities in all components. Agarwal suggested that healthcare entities should ask their imaging vendors whether DCMTK is present, what versions are used, whether the CISA advisories apply, and when patched builds will ship.
The post Security Researcher Identifies Quintet of Bugs in Toolkit Used in DICOM Medical Imaging Software appeared first on The HIPAA Journal.



