CVE-2021-41690 – CVE-2021-41690 is a memory leak vulnerability i... (How to Fix)

Q: What is the severity of CVE-2021-41690?

CVE-2021-41690 has a CVSS score of 7.5 (HIGH). CVE-2021-41690 is a memory leak vulnerability in DCMTK's dcmqrdb program where allocated memory for file information isn't properly freed. Attackers can send specific requests to cause memory exhaustion, leading to denial of service. Organizations using DCMTK for medical imaging DICOM services are affected.

📋 TL;DR

CVE-2021-41690 is a memory leak vulnerability in DCMTK's dcmqrdb program where allocated memory for file information isn't properly freed. Attackers can send specific requests to cause memory exhaustion, leading to denial of service. Organizations using DCMTK for medical imaging DICOM services are affected.

💻 Affected Systems

Products:

DCMTK (DICOM Toolkit)

Versions: All versions through 3.6.6

Operating Systems: All platforms running DCMTK

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems running dcmqrdb service. Other DCMTK components are not vulnerable.

📦 What is this software?

Dcmtk by Offis

View all CVEs affecting Dcmtk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of DICOM services due to memory exhaustion, potentially disrupting medical imaging workflows and patient care.

🟠

Likely Case

Degraded performance or temporary unavailability of DCMTK services requiring restart of affected processes.

🟢

If Mitigated

Minimal impact with proper monitoring and resource limits in place, though service may still require occasional restarts.

🌐 Internet-Facing: HIGH if dcmqrdb is exposed to untrusted networks, as unauthenticated attackers can trigger the memory leak.

🏢 Internal Only: MEDIUM as internal users or compromised systems could still exploit the vulnerability to disrupt services.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specific requests to dcmqrdb, which is straightforward for attackers familiar with DICOM protocols.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit a9697dfeb672b0b9412c00c7d36d801e27ec85cb and later versions

Vendor Advisory: https://github.com/DCMTK/dcmtk/commit/a9697dfeb672b0b9412c00c7d36d801e27ec85cb

Restart Required: Yes

Instructions:

1. Update DCMTK to version after commit a9697dfeb672b0b9412c00c7d36d801e27ec85cb. 2. Rebuild from source if using custom builds. 3. Restart all dcmqrdb services.

🔧 Temporary Workarounds

Resource Limiting

linux

Limit memory usage of dcmqrdb process using OS controls

ulimit -v [MEMORY_LIMIT] && dcmqrdb
systemctl set-property dcmqrdb.service MemoryMax=[VALUE]

Network Restriction

linux

Restrict access to dcmqrdb service to trusted networks only

iptables -A INPUT -p tcp --dport [DCMQRDB_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [DCMQRDB_PORT] -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate dcmqrdb from untrusted networks
Deploy monitoring with alerts for abnormal memory consumption by dcmqrdb processes

🔍 How to Verify

Check if Vulnerable:

Check DCMTK version: dcmdump --version | grep 'OFFIS DCMTK' and verify if version is 3.6.6 or earlier

Check Version:

dcmdump --version 2>&1 | grep 'OFFIS DCMTK'

Verify Fix Applied:

Verify commit hash includes a9697dfeb672b0b9412c00c7d36d801e27ec85cb or version is newer than 3.6.6

📡 Detection & Monitoring

Log Indicators:

Rapid increase in dcmqrdb memory usage
Process restart messages
Out of memory errors in system logs

Network Indicators:

Unusual volume of DICOM requests to dcmqrdb port
Requests with malformed or specially crafted DICOM data

SIEM Query:

process_name="dcmqrdb" AND (memory_usage > [THRESHOLD] OR event_type="process_restart")

📊 Metadata

CVE ID: CVE-2021-41690

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-401

Published: June 28, 2022

Last Updated: November 3, 2025

🔗 References

https://github.com/DCMTK/dcmtk Product,Third Party Advisory
https://github.com/DCMTK/dcmtk/commit/a9697dfeb672b0b9412c00c7d36d801e27ec85cb Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html
https://github.com/DCMTK/dcmtk Product,Third Party Advisory
https://github.com/DCMTK/dcmtk/commit/a9697dfeb672b0b9412c00c7d36d801e27ec85cb Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html
https://lists.debian.org/debian-lts-announce/2025/01/msg00032.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41690, you might also want to check these: