CVE-2026-50254 HIGH

CVE-2026-50254: OFFIS DCMTK Toolkit Missing Release of Memory after Effective Lifetime

Vendor Offis Dicom
Product DCMTK Toolkit
Weakness CWE-401
Published June 30, 2026
Last update June 30, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An unauthenticated remote attacker can repeatedly send a single crafted connection request to leak memory. Against storescp in its default single-process mode, memory grows quickly and the service is eventually killed, after which it stops accepting connections until an operator restarts it.

Key dates

02Disclosure timeline

June 30, 2026 CVE published