CVE-2021-41688 — Double Free in Dcmtk

CWE-415 — Double Free10 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 65.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Offis Dcmtk Debian Dcmtk

Timeline

PublishedJun 28

Latest updateJul 8

Description

DCMTK through 3.6.6 does not handle memory free properly. The object in the program is free but its address is still used in other locations. Sending specific requests to the dcmqrdb program will incur a double free. An attacker can use it to launch a DoS attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/dcmtk< dcmtk 3.6.7-1 (bookworm)

▶Debianoffis/dcmtk< 3.6.5-1+deb11u1+3

▶Ubuntuoffis/dcmtk< 3.6.4-2.1ubuntu0.1+11

▶NVDoffis/dcmtk3.6.6

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

dcmtk regression↗2025-07-08

▶

OSV

dcmtk vulnerabilities↗2024-09-17

▶

OSV

dcmtk vulnerabilities↗2023-02-22

▶

GHSA

GHSA-fwff-cx6h-wxmq: DCMTK through 3↗2022-06-29

▶

OSV

CVE-2021-41688: DCMTK through 3↗2022-06-28

▶

📋Vendor Advisories

Ubuntu

DCMTK regression↗2025-07-08

▶

Ubuntu

DCMTK vulnerabilities↗2024-09-17

▶

Ubuntu

DCMTK vulnerabilities↗2023-02-22

▶

Debian

CVE-2021-41688: dcmtk - DCMTK through 3.6.6 does not handle memory free properly. The object in the prog...↗2021

▶