OFFIS: Security Researcher Identifies Quintet of Bugs in Toolkit Used in DICOM Medical Imaging Software

OFFIS: Security Researcher Identifies Quintet of Bugs in Toolkit Used in DICOM Medical Imaging Software

Critical Vulnerabilities Discovered in Widely Used DICOM Medical Imaging Toolkit

Independent security researcher Abhinav Agarwal has uncovered five significant vulnerabilities in OFFIS DCMTK, a widely used toolkit for DICOM (Digital Imaging and Communications in Medicine) software. DICOM is the global standard for storing, transmitting, and processing medical imaging data, making these flaws particularly concerning for healthcare organizations.

The vulnerabilities, reported to CISA and the vendor in May 2026, could allow attackers to:

  • Expose patient data
  • Disrupt DICOM storage or worklist services
  • Exhaust system memory
  • Crash imaging services
  • Write files outside intended directories via path traversal

One flaw (CVE-2026-50003) is rated critical (CVSS 9.8), while the remaining four (CVE-2026-52868, CVE-2026-50254, CVE-2026-35505, CVE-2026-44628) are classified as high severity (CVSS 7.5–8.2). CISA issued an advisory on June 30, 2026, confirming that the vulnerabilities affect OFFIS DCMTK versions prior to v3.7.0.

The vendor has patched the flaws in the upstream master branch, but downstream users including medical imaging software providers may struggle to implement fixes without a formal release. Agarwal noted that many healthcare entities may remain unaware of their exposure unless they actively verify software components via a Software Bill of Materials (SBoM).

The discovery highlights the risks of embedded vulnerabilities in critical healthcare infrastructure, where outdated or unpatched components could leave patient data and imaging systems at risk.

Source: https://www.hipaajournal.com/offis-dcmtk-vulnerabilities-june-2026/

OFFIS TPRM report: https://www.rankiteo.com/company/offis-institute-for-information-technology

"id": "off1782916690",
"linkid": "offis-institute-for-information-technology",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "7",
"explanation": "Attack that could injure or kill people"
{'affected_entities': [{'customers_affected': 'Healthcare organizations using '
                                              'DICOM software',
                        'industry': 'Healthcare',
                        'name': 'OFFIS DCMTK',
                        'type': 'Software Toolkit'}],
 'data_breach': {'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (personally identifiable health '
                                        'information)',
                 'type_of_data_compromised': 'Patient data, medical imaging '
                                             'data'},
 'date_detected': '2026-05',
 'date_publicly_disclosed': '2026-06-30',
 'description': 'Independent security researcher Abhinav Agarwal uncovered '
                'five significant vulnerabilities in OFFIS DCMTK, a widely '
                'used toolkit for DICOM (Digital Imaging and Communications in '
                'Medicine) software. The flaws could allow attackers to expose '
                'patient data, disrupt DICOM storage or worklist services, '
                'exhaust system memory, crash imaging services, and write '
                'files outside intended directories via path traversal.',
 'impact': {'data_compromised': 'Patient data',
            'downtime': 'Potential crash of imaging services',
            'identity_theft_risk': 'Potential risk due to exposed patient data',
            'operational_impact': 'Disruption of DICOM services, memory '
                                  'exhaustion',
            'systems_affected': 'DICOM storage or worklist services, medical '
                                'imaging systems'},
 'investigation_status': 'Vulnerabilities disclosed and patched in upstream '
                         'master branch',
 'lessons_learned': 'Highlights risks of embedded vulnerabilities in critical '
                    'healthcare infrastructure and the importance of verifying '
                    'software components via a Software Bill of Materials '
                    '(SBoM).',
 'post_incident_analysis': {'corrective_actions': 'Patching vulnerabilities in '
                                                  'OFFIS DCMTK v3.7.0 and '
                                                  'downstream implementations',
                            'root_causes': 'Unpatched vulnerabilities in '
                                           'widely used DICOM toolkit'},
 'recommendations': 'Healthcare organizations should verify their software '
                    'components using an SBoM and apply patches for OFFIS '
                    'DCMTK vulnerabilities.',
 'references': [{'source': 'CISA Advisory'}],
 'regulatory_compliance': {'regulatory_notifications': 'CISA advisory issued'},
 'response': {'communication_strategy': 'CISA advisory issued',
              'remediation_measures': 'Patches available in upstream master '
                                      'branch'},
 'title': 'Critical Vulnerabilities Discovered in Widely Used DICOM Medical '
          'Imaging Toolkit',
 'type': 'Vulnerability Disclosure',
 'vulnerability_exploited': ['CVE-2026-50003 (CVSS 9.8)',
                             'CVE-2026-52868 (CVSS 7.5-8.2)',
                             'CVE-2026-50254 (CVSS 7.5-8.2)',
                             'CVE-2026-35505 (CVSS 7.5-8.2)',
                             'CVE-2026-44628 (CVSS 7.5-8.2)']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.