CVE-2021-41687 — Missing Release of Memory after Effective Lifetime in Dcmtk

CWE-401 — Missing Release of Memory after Effective Lifetime10 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 60.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Offis Dcmtk Debian Dcmtk

Timeline

PublishedJun 28

Latest updateJul 8

Description

DCMTK through 3.6.6 does not handle memory free properly. The program malloc a heap memory for parsing data, but does not free it when error in parsing. Sending specific requests to the dcmqrdb program incur the memory leak. An attacker can use it to launch a DoS attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/dcmtk< dcmtk 3.6.7-1 (bookworm)

▶Debianoffis/dcmtk< 3.6.5-1+deb11u1+3

▶Ubuntuoffis/dcmtk< 3.6.4-2.1ubuntu0.1+11

▶NVDoffis/dcmtk3.6.6

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

dcmtk regression↗2025-07-08

▶

OSV

dcmtk vulnerabilities↗2024-09-17

▶

OSV

dcmtk vulnerabilities↗2023-02-22

▶

GHSA

GHSA-342m-fmj9-855c: DCMTK through 3↗2022-06-29

▶

OSV

CVE-2021-41687: DCMTK through 3↗2022-06-28

▶

📋Vendor Advisories

Ubuntu

DCMTK regression↗2025-07-08

▶

Ubuntu

DCMTK vulnerabilities↗2024-09-17

▶

Ubuntu

DCMTK vulnerabilities↗2023-02-22

▶

Debian

CVE-2021-41687: dcmtk - DCMTK through 3.6.6 does not handle memory free properly. The program malloc a h...↗2021

▶