CVE-2024-24794 – A use-after-free vulnerability in libdicom 1.0.... (How to Fix)

Q: What is the severity of CVE-2024-24794?

CVE-2024-24794 has a CVSS score of 8.1 (HIGH). A use-after-free vulnerability in libdicom 1.0.5 allows attackers to execute arbitrary code or cause denial of service by tricking applications into processing malicious DICOM files. This affects any software using the vulnerable libdicom library for medical imaging processing. The vulnerability occurs during DICOM sequence parsing when memory is freed prematurely but still referenced.

📋 TL;DR

A use-after-free vulnerability in libdicom 1.0.5 allows attackers to execute arbitrary code or cause denial of service by tricking applications into processing malicious DICOM files. This affects any software using the vulnerable libdicom library for medical imaging processing. The vulnerability occurs during DICOM sequence parsing when memory is freed prematurely but still referenced.

💻 Affected Systems

Products:

Imaging Data Commons libdicom

Versions: Version 1.0.5 specifically

Operating Systems: All platforms running libdicom

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using libdicom 1.0.5 for DICOM file parsing is vulnerable regardless of configuration.

📦 What is this software?

Libdicom by Nih

View all CVEs affecting Libdicom →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment on affected systems.

🟠

Likely Case

Application crash (denial of service) with potential for memory corruption that could lead to information disclosure or limited code execution.

🟢

If Mitigated

Application crash without data loss if proper sandboxing and memory protections are in place.

🌐 Internet-Facing: MEDIUM - Requires user interaction to upload/process malicious DICOM files, but medical imaging systems often accept external inputs.

🏢 Internal Only: MEDIUM - Internal medical imaging workflows frequently process DICOM files from various sources including external partners.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious DICOM file and convincing the target to process it. No authentication needed once file processing is triggered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.0.6 or later

Vendor Advisory: https://github.com/ImagingDataCommons/libdicom/releases

Restart Required: Yes

Instructions:

1. Check current libdicom version. 2. Update to libdicom 1.0.6 or later via package manager or source compilation. 3. Restart any applications using libdicom. 4. Recompile applications if statically linked.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict validation of DICOM files before processing, rejecting malformed or suspicious files.

Sandboxing

linux

Run DICOM processing in isolated containers or sandboxes with limited privileges.

docker run --read-only --security-opt=no-new-privileges -v /safe/input:/input your_app

🧯 If You Can't Patch

Implement network segmentation to isolate systems processing DICOM files
Deploy application allowlisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check libdicom version: `dicom --version` or `ldconfig -p | grep libdicom`. If version is 1.0.5, system is vulnerable.

Check Version:

dicom --version 2>/dev/null || find /usr -name '*libdicom*' -exec strings {} \; 2>/dev/null | grep -i version

Verify Fix Applied:

Verify version is 1.0.6 or later: `dicom --version`. Test with known safe DICOM files to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults
Memory corruption errors in application logs
Unexpected process termination during DICOM processing

Network Indicators:

Unusual DICOM file uploads from unexpected sources
Large volumes of DICOM file transfers to vulnerable systems

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "use-after-free" OR "memory corruption") AND process="*dicom*"

📊 Metadata

CVE ID: CVE-2024-24794

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: February 20, 2024

Last Updated: November 4, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2024-1931 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1931 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1931

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24794, you might also want to check these: