CVE-2021-41688

Published: Jun 28, 2022Modified: Nov 3, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

DCMTK through 3.6.6 does not handle memory free properly. The object in the program is free but its address is still used in other locations. Sending specific requests to the dcmqrdb program will incur a double free. An attacker can use it to launch a DoS attack.

Affected (1)

Products: Offis: Dcmtk

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Offis Dcmtk	Up to 3.6.6

Related CWEs

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

References (7)

https://github.com/DCMTK/dcmtk

Source: cve@mitre.org

ProductThird Party Advisory

https://github.com/DCMTK/dcmtk/commit/a9697dfeb672b0b9412c00c7d36d801e27ec85cb

Source: cve@mitre.org

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html

Source: cve@mitre.org

https://github.com/DCMTK/dcmtk

Source: af854a3a-2127-422b-91ae-364da2661108

ProductThird Party Advisory

https://github.com/DCMTK/dcmtk/commit/a9697dfeb672b0b9412c00c7d36d801e27ec85cb

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2025/01/msg00032.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.