CVE-2024-28130

moderate-risk

Published 2024-04-23

An incorrect type conversion vulnerability exists in the DVPSSoftcopyVOI_PList::createFromImage functionality of OFFIS DCMTK 3.6.8. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Do I need to act?

0.14% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (2)

Dcmtk

Debian Linux

Affected Vendors

Debian Offis

References (6)

Third Party Advisory https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html

Exploit https://talosintelligence.com/vulnerability_reports/TALOS-2024-1957

Third Party Advisory https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html

https://lists.debian.org/debian-lts-announce/2025/01/msg00032.html

Exploit https://talosintelligence.com/vulnerability_reports/TALOS-2024-1957

https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1957

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 1/34 · Minimal

Exposure 7/34 · Low