CVE-2021-41689
published 2022-06-28CVE-2021-41689: DCMTK through 3.6.6 does not handle string copy properly. Sending specific requests to the dcmqrdb program, it would query its database and copy the result…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.69%
74.2th percentile
DCMTK through 3.6.6 does not handle string copy properly. Sending specific requests to the dcmqrdb program, it would query its database and copy the result even if the result is null, which can incur a head-based overflow. An attacker can use it to launch a DoS attack.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | dcmtk | < dcmtk 3.6.7-1 (bookworm) | dcmtk 3.6.7-1 (bookworm) |
| offis | dcmtk | <= 3.6.6 | — |
| offis | dcmtk | >= 0 < 3.6.5-1+deb11u1 | 3.6.5-1+deb11u1 |
| offis | dcmtk | >= 0 < 3.6.7-1 | 3.6.7-1 |
| offis | dcmtk | >= 0 < 3.6.7-1 | 3.6.7-1 |
| offis | dcmtk | >= 0 < 3.6.7-1 | 3.6.7-1 |
| offis | dcmtk | >= 0 < 3.6.4-2.1ubuntu0.1 | 3.6.4-2.1ubuntu0.1 |
| offis | dcmtk | >= 0 < 3.6.4-2.1ubuntu0.2 | 3.6.4-2.1ubuntu0.2 |
| offis | dcmtk | >= 0 < 3.6.1~20150924-5ubuntu0.1~esm2 | 3.6.1~20150924-5ubuntu0.1~esm2 |
| offis | dcmtk | >= 0 < 3.6.1~20150924-5ubuntu0.1~esm1 | 3.6.1~20150924-5ubuntu0.1~esm1 |
| offis | dcmtk | >= 0 < 3.6.1~20150924-5ubuntu0.1~esm3 | 3.6.1~20150924-5ubuntu0.1~esm3 |
| offis | dcmtk | >= 0 < 3.6.2-3ubuntu0.1~esm2 | 3.6.2-3ubuntu0.1~esm2 |
| offis | dcmtk | >= 0 < 3.6.2-3ubuntu0.1~esm1 | 3.6.2-3ubuntu0.1~esm1 |
| offis | dcmtk | >= 0 < 3.6.2-3ubuntu0.1~esm3 | 3.6.2-3ubuntu0.1~esm3 |
| offis | dcmtk | >= 0 < 3.6.4-2.1ubuntu0.1~esm1 | 3.6.4-2.1ubuntu0.1~esm1 |
| offis | dcmtk | >= 0 < 3.6.6-5ubuntu0.1~esm2 | 3.6.6-5ubuntu0.1~esm2 |
| offis | dcmtk | >= 0 < 3.6.6-5ubuntu0.1~esm1 | 3.6.6-5ubuntu0.1~esm1 |
| offis | dcmtk | >= 0 < 3.6.7-9.1ubuntu0.1~esm1 | 3.6.7-9.1ubuntu0.1~esm1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
DCMTK regression
vendor_ubuntu·2025-07-08·CVSS 7.5
CVE-2021-41687 [HIGH] DCMTK regression
Title: DCMTK regression
Summary: USN-7010-1 introduced a regression in DCMTK
USN-7010-1 fixed vulnerabilities in DCMTK. The update introduced a
regression. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Jinsheng Ba discovered that DCMTK incorrectly handled certain requests. If
a user or an automated system were tricked into opening a certain specially
crafted input file, a remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 20.04 LTS.
(CVE-2021-41687, CVE-2021-41688, CVE-2021-41689, CVE-2021-41690)
Sharon Brizinov and Noam Moshe discovered that DCMTK incorrectly handled
pointers. If a user or an automated system were tricked into opening a
certain specially crafted input file, a rem
Ubuntu
DCMTK vulnerabilities
vendor_ubuntu·2024-09-17·CVSS 7.5
CVE-2021-41688 [HIGH] DCMTK vulnerabilities
Title: DCMTK vulnerabilities
Summary: Several security issues were fixed in DCMTK.
Jinsheng Ba discovered that DCMTK incorrectly handled certain requests. If
a user or an automated system were tricked into opening a certain specially
crafted input file, a remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 20.04 LTS.
(CVE-2021-41687, CVE-2021-41688, CVE-2021-41689, CVE-2021-41690)
Sharon Brizinov and Noam Moshe discovered that DCMTK incorrectly handled
pointers. If a user or an automated system were tricked into opening a
certain specially crafted input file, a remote attacker could possibly use
this issue to cause a denial of service. This issue only affected
Ubuntu 20.04 LTS. (CVE-2022-2121)
It was discovered that DCMTK incorrec
Ubuntu
DCMTK vulnerabilities
vendor_ubuntu·2023-02-22·CVSS 7.5
CVE-2021-41689 [HIGH] DCMTK vulnerabilities
Title: DCMTK vulnerabilities
Summary: Several security issues were fixed in DCMTK.
Gjoko Krstic discovered that DCMTK incorrectly handled buffers. If a user or
an automated system were tricked into opening a certain specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-8979)
Omar Ganiev discovered that DCMTK incorrectly handled buffers. If a user or
an automated system were tricked into opening a certain specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 16.04 LTS and
Ubuntu 18.04 LTS. (CVE-2019-1010228)
Jinsheng Ba discovered that DCMTK incorrectly handled certain requests. If a
user or an au
Debian
CVE-2021-41689: dcmtk - DCMTK through 3.6.6 does not handle string copy properly. Sending specific reque...
vendor_debian·2021·CVSS 7.5
CVE-2021-41689 [HIGH] CVE-2021-41689: dcmtk - DCMTK through 3.6.6 does not handle string copy properly. Sending specific reque...
DCMTK through 3.6.6 does not handle string copy properly. Sending specific requests to the dcmqrdb program, it would query its database and copy the result even if the result is null, which can incur a head-based overflow. An attacker can use it to launch a DoS attack.
Scope: local
bookworm: resolved (fixed in 3.6.7-1)
bullseye: resolved (fixed in 3.6.5-1+deb11u1)
forky: resolved (fixed in 3.6.7-1)
sid: resolved (fixed in 3.6.7-1)
trixie: resolved (fixed in 3.6.7-1)
OSV
dcmtk regression
osv·2025-07-08·CVSS 7.5
[HIGH] dcmtk regression
dcmtk regression
USN-7010-1 fixed vulnerabilities in DCMTK. The update introduced a
regression. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Jinsheng Ba discovered that DCMTK incorrectly handled certain requests. If
a user or an automated system were tricked into opening a certain specially
crafted input file, a remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 20.04 LTS.
(CVE-2021-41687, CVE-2021-41688, CVE-2021-41689, CVE-2021-41690)
Sharon Brizinov and Noam Moshe discovered that DCMTK incorrectly handled
pointers. If a user or an automated system were tricked into opening a
certain specially crafted input file, a remote attacker could possibly use
this issue to cause a denial
OSV
dcmtk vulnerabilities
osv·2024-09-17·CVSS 7.5
CVE-2021-41687 [HIGH] dcmtk vulnerabilities
dcmtk vulnerabilities
Jinsheng Ba discovered that DCMTK incorrectly handled certain requests. If
a user or an automated system were tricked into opening a certain specially
crafted input file, a remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 20.04 LTS.
(CVE-2021-41687, CVE-2021-41688, CVE-2021-41689, CVE-2021-41690)
Sharon Brizinov and Noam Moshe discovered that DCMTK incorrectly handled
pointers. If a user or an automated system were tricked into opening a
certain specially crafted input file, a remote attacker could possibly use
this issue to cause a denial of service. This issue only affected
Ubuntu 20.04 LTS. (CVE-2022-2121)
It was discovered that DCMTK incorrectly handled certain inputs. If a
user or an automated system w
OSV
dcmtk vulnerabilities
osv·2023-02-22·CVSS 7.5
CVE-2015-8979 [HIGH] dcmtk vulnerabilities
dcmtk vulnerabilities
Gjoko Krstic discovered that DCMTK incorrectly handled buffers. If a user or
an automated system were tricked into opening a certain specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-8979)
Omar Ganiev discovered that DCMTK incorrectly handled buffers. If a user or
an automated system were tricked into opening a certain specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 16.04 LTS and
Ubuntu 18.04 LTS. (CVE-2019-1010228)
Jinsheng Ba discovered that DCMTK incorrectly handled certain requests. If a
user or an automated system were tricked into opening a certain specially
c
GHSA
GHSA-558h-5pv9-xxg9: DCMTK through 3
ghsa_unreviewed·2022-06-29
CVE-2021-41689 [HIGH] CWE-476 GHSA-558h-5pv9-xxg9: DCMTK through 3
DCMTK through 3.6.6 does not handle string copy properly. Sending specific requests to the dcmqrdb program, it would query its database and copy the result even if the result is null, which can incur a head-based overflow. An attacker can use it to launch a DoS attack.
OSV
CVE-2021-41689: DCMTK through 3
osv·2022-06-28·CVSS 7.5
CVE-2021-41689 [HIGH] CVE-2021-41689: DCMTK through 3
DCMTK through 3.6.6 does not handle string copy properly. Sending specific requests to the dcmqrdb program, it would query its database and copy the result even if the result is null, which can incur a head-based overflow. An attacker can use it to launch a DoS attack.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/DCMTK/dcmtkhttps://github.com/DCMTK/dcmtk/commit/5c14bf53fb42ceca12bbcc0016e8704b1580920dhttps://lists.debian.org/debian-lts-announce/2024/06/msg00022.htmlhttps://github.com/DCMTK/dcmtkhttps://github.com/DCMTK/dcmtk/commit/5c14bf53fb42ceca12bbcc0016e8704b1580920dhttps://lists.debian.org/debian-lts-announce/2024/06/msg00022.htmlhttps://lists.debian.org/debian-lts-announce/2025/01/msg00032.html
2022-06-28
Published