CVE-2026-10194: OFFIS DCMTK Heap Buffer Overflow in Query/Retrieve Service
A heap-based buffer overflow exists in OFFIS DCMTK 3.7.0 within the query/retrieve service component (dcmqrscp). An authenticated attacker can trigger this flaw remotely by sending specially crafted requests to the image deletion function, potentially causing memory corruption, data loss, or service disruption. The vulnerability requires valid credentials to exploit but poses moderate risk in networked medical imaging environments where DCMTK is deployed.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-119, CWE-122
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-31 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in OFFIS DCMTK 3.7.0. This affects the function DcmQueryRetrieveIndexDatabaseHandle::deleteOldestImages of the file dcmqrdb/libsrc/dcmqrdbi.cc of the component dcmqrscp. Executing a manipulation can lead to heap-based buffer overflow. The attack may be launched remotely. This patch is called 0f78a4ef6f645ea5530166e445e5436a5de58e75. A patch should be applied to remediate this issue.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10194 is a heap-based buffer overflow in the DcmQueryRetrieveIndexDatabaseHandle::deleteOldestImages function within dcmqrdb/libsrc/dcmqrdbi.cc of OFFIS DCMTK 3.7.0. The flaw arises from improper bounds checking during memory operations in the oldest image deletion routine of the dcmqrscp (DICOM query/retrieve service provider). An authenticated remote attacker can manipulate input to overflow heap memory, potentially achieving arbitrary code execution or denial of service. The CWE classifications (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer; CWE-122: Heap-based Buffer Overflow) confirm the root cause involves unsafe buffer operations.
Business impact
In healthcare and medical imaging networks relying on DCMTK-based DICOM services, successful exploitation could lead to unauthorized deletion or corruption of archived medical images, loss of critical diagnostic data, service outages affecting patient care workflows, and potential compliance violations (HIPAA, GDPR) due to data integrity breaches. Organizations using dcmqrscp for image archival and retrieval face operational disruption and data loss risks.
Affected systems
OFFIS DCMTK version 3.7.0 is confirmed affected. The dcmqrscp component (DICOM Query/Retrieve Service Provider) is the attack surface. Organizations should verify whether they run DCMTK 3.7.0 in production, particularly in PACS (Picture Archiving and Communication Systems) or medical imaging archive roles. Determine whether dcmqrscp is network-exposed and what authentication controls exist.
Exploitability
Exploitation requires valid credentials (authenticated access), lowering the immediate risk for publicly exposed systems without authentication. However, in internal networks or systems with weak credential management, the attack surface expands. Network accessibility is required but not difficult to achieve in healthcare environments where DICOM services communicate across subnets. No public exploit code has been disclosed, and the vulnerability is not tracked in CISA's KEV catalog, suggesting limited active exploitation at publication.
Remediation
Apply the patch identified by commit 0f78a4ef6f645ea5530166e445e5436a5de58e75. Verify the patch is available from OFFIS in a formal DCMTK release or security advisory. Alternatively, if a patched version of DCMTK is released after 3.7.0, upgrade to that version. In the interim, restrict network access to dcmqrscp endpoints using firewall rules, segment DICOM services behind VPNs or jump hosts, and enforce strong authentication (multi-factor authentication where possible) to reduce attacker reach.
Patch guidance
Obtain the patch from OFFIS DCMTK's official repository or security advisory corresponding to commit 0f78a4ef6f645ea5530166e445e5436a5de58e75. Verify the patch version by checking DCMTK release notes or advisory documentation. Test the patched version in a non-production environment against your DICOM workflows (query, retrieve, image deletion) to ensure compatibility and performance. Schedule maintenance windows for production DICOM services to minimize patient care disruption. Document patch application and version changes in your asset management system.
Detection guidance
Monitor dcmqrscp process logs and DICOM query/retrieve service logs for unusual deletion requests, especially those targeting large image sets or using unexpected query parameters. Watch for heap corruption indicators: segmentation faults, memory access violations, or unexpected service crashes during image archival operations. Implement network-level monitoring for authenticated connections to dcmqrscp followed by unusual traffic patterns. Deploy application-level logging if DCMTK debug modes are available. Endpoint detection and response (EDR) tools should flag heap overflow attempts if exploitation is attempted.
Why prioritize this
Although CVSS 3.1 scores this as MEDIUM (6.3), the authentication requirement and lack of active exploitation initially limit urgency. However, prioritize patching if dcmqrscp is internet-facing, handles sensitive medical data, or operates in environments with credential compromise risk. Medical imaging data is high-value for ransomware operations and data theft; integrity loss of DICOM archives carries compliance and operational consequences. Mid-tier priority: patch within 30–60 days in most healthcare environments, sooner if dcmqrscp is exposed or credential controls are weak.
Risk score, explained
CVSS 3.1 score of 6.3 (MEDIUM) reflects: Network-accessible attack vector (AV:N), low attack complexity (AC:L), but requirement for valid authentication (PR:L). Impact is limited to confidentiality, integrity, and availability of the affected process (S:U = Unchanged scope). The score does not fully capture the business context of healthcare data criticality or ransomware risk; organizations should apply industry context when prioritizing.
Frequently asked questions
What is OFFIS DCMTK and why do I care?
DCMTK (DICOM Toolkit) is a widely used open-source library for implementing DICOM (Digital Imaging and Communications in Medicine) standards. dcmqrscp is its query/retrieve service, commonly deployed in medical imaging archives, PACS, and diagnostic centers. If your organization archives, shares, or retrieves medical images, you likely depend on DCMTK-based services.
Do I need valid login credentials to exploit this vulnerability?
Yes. The CVSS vector indicates PR:L (requires Low Privilege), meaning an authenticated attacker can exploit this flaw. If dcmqrscp is not exposed to the internet and is only accessible by internal DICOM clients with managed credentials, risk is lower. However, credential compromise, insider threats, or lateral movement attacks could bypass this protection.
What happens if this vulnerability is exploited?
A successful exploit can corrupt or delete medical images in the archive, disrupt DICOM query/retrieve operations, cause service crashes, or potentially allow arbitrary code execution in the context of the dcmqrscp process. The severity depends on the attacker's objectives: data theft, ransomware deployment, or denial of service.
Is there public exploit code available?
No. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and no public proof-of-concept has been disclosed. This does not mean the flaw is not exploitable; it simply means active, widespread exploitation has not been observed or reported as of the publication date.
This analysis is based on CVE-2026-10194 as published and the patch commit reference provided. Verify all patch versions, availability, and compatibility against official OFFIS DCMTK advisories and release notes before deployment. Healthcare organizations should validate that patches do not interfere with clinical workflows, DICOM compliance, or interoperability. This is not a substitute for vendor guidance or independent security testing. Risk scores and prioritization guidance are contextual; apply your organization's risk management policies and threat modeling. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10200MEDIUMAssimp 6.0.4 Heap Buffer Overflow in glTF Matrix Parser
- CVE-2026-10229MEDIUMAssimp Half-Life MDL Loader Heap Buffer Overflow
- CVE-2026-10230MEDIUMAssimp Half-Life MDL Loader Heap Buffer Overflow Vulnerability
- CVE-2026-10231MEDIUMAssimp Heap Buffer Overflow in HL1 MDL Loader
- CVE-2025-55664MEDIUMGPAC MP4Box Heap Buffer Overflow DoS Vulnerability
- CVE-2026-10064MEDIUMTRENDnet TEW-432BRP Stack Overflow – Unpatched EOL Router Vulnerability
- CVE-2026-10114MEDIUMOpen5GS Out-of-Bounds Write in NF Profile Parser
- CVE-2026-10232MEDIUMAssimp Use-After-Free in ASE Parser (CVSS 5.3)