CVE-2021-41687

moderate-risk

Published 2022-06-28

DCMTK through 3.6.6 does not handle memory free properly. The program malloc a heap memory for parsing data, but does not free it when error in parsing. Sending specific requests to the dcmqrdb program incur the memory leak. An attacker can use it to launch a DoS attack.

Do I need to act?

0.18% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (1)

Dcmtk

Affected Vendors

Offis

References (7)

Product https://github.com/DCMTK/dcmtk

Patch https://github.com/DCMTK/dcmtk/commit/a9697dfeb672b0b9412c00c7d36d801e27ec85cb

https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html

Product https://github.com/DCMTK/dcmtk

Patch https://github.com/DCMTK/dcmtk/commit/a9697dfeb672b0b9412c00c7d36d801e27ec85cb

https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html

https://lists.debian.org/debian-lts-announce/2025/01/msg00032.html

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal