CVE-2022-4981 — Improper Resource Shutdown or Release in Dcmtk

CWE-404 — Improper Resource Shutdown or Release CWE-476 — NULL Pointer Dereference4 documents4 sources

Severity

4.8MEDIUMNVD

EPSS

0.0%

top 98.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Offis Dcmtk Debian Dcmtk

Timeline

PublishedOct 21

Description

A vulnerability was detected in DCMTK up to 3.6.7. The impacted element is the function DcmQueryRetrieveConfig::readPeerList of the file /dcmqrcnf.cc of the component dcmqrscp. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit is now public and may be used. Upgrading to version 3.6.8 is sufficient to resolve this issue. The patch is identified as 957fb31e5. Upgrading the affected component is advised.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDoffis/dcmtk< 3.6.8

▶debiandebian/dcmtk< dcmtk 3.6.5-1+deb11u5 (bullseye)

▶Debianoffis/dcmtk< 3.6.5-1+deb11u5+2

▶CVEListV5offis/dcmtk8 versions+7

🔴Vulnerability Details

GHSA

GHSA-v454-8grj-83c8: A vulnerability was detected in DCMTK up to 3↗2025-10-21

▶

OSV

CVE-2022-4981: A vulnerability was detected in DCMTK up to 3↗2025-10-21

▶

📋Vendor Advisories

Debian

CVE-2022-4981: dcmtk - A vulnerability was detected in DCMTK up to 3.6.7. The impacted element is the f...↗2022

▶