CVE-2021-41690

Published: Jun 28, 2022Modified: Nov 3, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

DCMTK through 3.6.6 does not handle memory free properly. The malloced memory for storing all file information are recorded in a global variable LST and are not freed properly. Sending specific requests to the dcmqrdb program can incur a memory leak. An attacker can use it to launch a DoS attack.

Affected (1)

Products: Offis: Dcmtk

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Offis Dcmtk	Up to 3.6.6

Related CWEs

Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

References (7)

https://github.com/DCMTK/dcmtk

Source: cve@mitre.org

ProductThird Party Advisory

https://github.com/DCMTK/dcmtk/commit/a9697dfeb672b0b9412c00c7d36d801e27ec85cb

Source: cve@mitre.org

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html

Source: cve@mitre.org

https://github.com/DCMTK/dcmtk

Source: af854a3a-2127-422b-91ae-364da2661108

ProductThird Party Advisory

https://github.com/DCMTK/dcmtk/commit/a9697dfeb672b0b9412c00c7d36d801e27ec85cb

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2025/01/msg00032.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.