PatchSiren cyber security CVE debrief
CVE-2026-10194 OFFIS CVE debrief
A heap-based buffer overflow vulnerability exists in OFFIS DCMTK 3.7.0 within the dcmqrscp component. The flaw resides in the DcmQueryRetrieveIndexDatabaseHandle::deleteOldestImages function in dcmqrdb/libsrc/dcmqrdbi.cc. A remote attacker can trigger this weakness through manipulation, resulting in heap memory corruption. The vulnerability is classified as MEDIUM severity with a CVSS score of 5.3. A patch is available via commit 0f78a4ef6f645ea5530166e445e5436a5de58e75.
- Vendor
- OFFIS
- Product
- DCMTK
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-31
- Original CVE updated
- 2026-05-31
- Advisory published
- 2026-05-31
- Advisory updated
- 2026-05-31
Who should care
Healthcare organizations, medical imaging system administrators, and security teams managing PACS infrastructure using DCMTK's query/retrieve service class provider (dcmqrscp).
Technical summary
The vulnerability is a heap-based buffer overflow (CWE-122, also associated with CWE-119) in the DcmQueryRetrieveIndexDatabaseHandle::deleteOldestImages function of DCMTK's dcmqrdb library. The affected file is dcmqrdb/libsrc/dcmqrdbi.cc in the dcmqrscp component. Remote exploitation is possible, and the issue is remediated by patch commit 0f78a4ef6f645ea5530166e445e5436a5de58e75.
Defensive priority
medium
Recommended defensive actions
- Apply patch commit 0f78a4ef6f645ea5530166e445e5436a5de58e75 to DCMTK 3.7.0 installations
- Restrict network access to dcmqrscp services to trusted hosts where possible
- Monitor for anomalous queries to DICOM query/retrieve SCP endpoints
- Validate DCMTK version and confirm patch application during maintenance windows
Evidence notes
CVE published 2026-05-31. Source references include DCMTK Git commit and VulDB entries. Vendor attribution marked low confidence as 'Unknown Vendor' in source; evidence points to OFFIS/DCMTK project.
Official resources
2026-05-31