Critical Path Traversal and Memory Corruption Vulnerabilities (CVE‑2026‑50003, CVE‑2026‑50254, CVE‑2026‑35505, CVE‑2026‑52868, CVE‑2026‑44628) in OFFIS DCMTK Toolkit
What It Is — The OFFIS DCMTK Toolkit (versions ≤ 3.7.0) contains multiple high‑severity flaws: a path‑traversal that lets a malicious server write files outside the intended directory, a type‑confusion bug, and several memory‑release errors that can lead to crashes or data leakage.
Exploitability — All five CVEs have a CVSS v3 base score of 9.8 (Critical). Public proof‑of‑concept code has been observed in the wild, and successful exploitation can be achieved by a compromised DICOM server communicating with a vulnerable client.
Affected Products — OFFIS DCMTK Toolkit ≤ 3.7.0 (used in medical imaging workstations, PACS, and many healthcare‑IT integrations).
Why It Matters for Compliance & Audit Readiness
- SOC 2 CC6.1 (Risk Management) requires continuous vulnerability identification; a CVSS 9.8 flaw in a core imaging library signals a gap in your vulnerability‑management program.
- Evidence of timely patching and configuration hardening is a key audit artifact for the Security and Availability principles.
- Healthcare organizations must demonstrate that they protect patient data (HIPAA, GDPR) – uncontrolled file writes could lead to unauthorized PHI exposure, jeopardizing compliance.
Recommended Actions
- Inventory every system that runs DCMTK and verify the version.
- Apply the upstream fix (available in the latest commit snapshot) or upgrade to a version > 3.7.0.
- Record the remediation in your vulnerability‑management tool and map the fix to SOC 2 CC6.1 and CC7.2 (System Operations).
- Update your DICOM configuration to enforce strict output directories and disable C‑GET storage mode if not required.