CVE-2026-12805
Received Received - Intake
Heap-based Buffer Overflow in OFFIS DCMTK

Publication date: 2026-06-21

Last updated on: 2026-06-21

Assigner: VulDB

Description
A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected element is the function XMLNode::parseFile in the library ofstd/libsrc/ofxml.cc. Executing a manipulation can lead to heap-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. This patch is called 1d4b3815c0987840a983160bfc671fef63a3105b. It is best practice to apply a patch to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-21
Last Modified
2026-06-21
Generated
2026-06-22
AI Q&A
2026-06-21
EPSS Evaluated
N/A
NVD
CVE-2026-12805
EUVD
EUVD-2026-38191
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
offis dcmtk to 3.7.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12805 is a heap-based buffer overflow vulnerability found in the DCMTK library, specifically in the XMLNode::parseFile() function located in ofstd/libsrc/ofxml.cc.

The flaw occurs when the function processes input from a FIFO (named pipe). The function uses ftell() to determine the size of the input, but ftell() returns -1 for non-seekable files like FIFOs. The code only checks if the return value is zero, not if it is negative.

Because of this missing check, the code allocates a very small buffer (3 bytes) but then attempts to read an extremely large amount of data (SIZE_MAX bytes) into it. This causes adjacent heap memory corruption, resulting in a heap buffer overflow.

The vulnerability can be triggered remotely and has an exploit published. It affects DCMTK versions 3.6.7 through 3.7.0 and the current master branch. The issue was fixed by properly checking the return value of ftell() to prevent incorrect memory allocation.

Impact Analysis

This vulnerability can lead to a heap-based buffer overflow, which may allow an attacker to corrupt memory and potentially execute arbitrary code.

Since the vulnerability can be triggered remotely by manipulating input to the XMLNode::parseFile() function, it poses a risk of remote code execution or denial of service by crashing the affected application.

The exploit has been published, increasing the risk of active attacks against vulnerable systems.

The impact includes potential compromise of system integrity, unauthorized access, or service disruption in applications using the affected DCMTK versions.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or abnormal behavior in applications using the DCMTK library, especially those invoking the XMLNode::parseFile() function with FIFO (named pipe) inputs, such as the cda2dcm tool.

A practical detection method involves creating a FIFO and attempting to trigger the vulnerability to observe if the program crashes or exhibits heap corruption, as demonstrated in proof-of-concept exploits.

While no specific detection commands are provided, using AddressSanitizer or similar memory error detection tools when running DCMTK-based applications processing named pipes can help identify exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to apply the official patch that fixes the vulnerability by properly checking the return value of ftell() in the XMLNode::parseFile() function.

Updating DCMTK to a version that includes the patch (commit 1d4b3815c0987840a983160bfc671fef63a3105b) is recommended to prevent heap-based buffer overflow exploitation.

As a temporary measure, avoid processing FIFO (named pipe) inputs with vulnerable versions of DCMTK or restrict access to such inputs to trusted users only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12805. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart