Login Sign Up

CVE-2024-47796

8.4 HIGH

📋 TL;DR

An improper array index validation vulnerability in OFFIS DCMTK's nowindow functionality allows out-of-bounds writes when processing specially crafted DICOM files. Attackers can exploit this to potentially execute arbitrary code or cause denial of service. Systems using DCMTK for medical imaging processing are affected.

💻 Affected Systems

Products:
  • OFFIS DCMTK
Versions: 3.6.8 and earlier versions with nowindow functionality
Operating Systems: All platforms running DCMTK
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems processing DICOM files using the vulnerable nowindow component.

📦 What is this software?

Dcmtk by Offis

View all CVEs affecting Dcmtk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash causing denial of service in medical imaging workflows, potentially disrupting patient care.

🟢

If Mitigated

Contained application crash with no privilege escalation if proper sandboxing and least privilege are implemented.

🌐 Internet-Facing: MEDIUM - Requires attacker to supply malicious DICOM file, but many medical systems process external files.
🏢 Internal Only: MEDIUM - Internal users could exploit via uploaded medical images or shared files.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires crafting a malicious DICOM file and getting it processed by vulnerable system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 89a6e399f1e17d08a8bc8cdaa05b2ac9a50cd4f6

Vendor Advisory: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=89a6e399f1e17d08a8bc8cdaa05b2ac9a50cd4f6

Restart Required: No

Instructions:

1. Update DCMTK to latest version with fix. 2. Rebuild applications using DCMTK libraries. 3. Test with sample DICOM files to ensure functionality.

🔧 Temporary Workarounds

Disable nowindow functionality

all

Configure applications to avoid using the vulnerable nowindow component when processing DICOM files.

Input validation

all

Implement strict validation of DICOM file headers before processing.

🧯 If You Can't Patch

  • Isolate DCMTK processing to dedicated, sandboxed systems with no internet access.
  • Implement strict file upload controls and scan all incoming DICOM files with multiple antivirus engines.

🔍 How to Verify

Check if Vulnerable:

Check DCMTK version: dcmdump --version. If version is 3.6.8 or earlier, system is vulnerable.

Check Version:

dcmdump --version 2>&1 | grep -i version

Verify Fix Applied:

Verify DCMTK version includes commit 89a6e399f1e17d08a8bc8cdaa05b2ac9a50cd4f6 or later.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes in DCMTK processes
  • Memory access violation errors
  • Abnormal DICOM file processing failures

Network Indicators:

  • Unusual DICOM file transfers from untrusted sources
  • Large volumes of DICOM files to single endpoint

SIEM Query:

source="dcmtk" AND (event_type="crash" OR error="segmentation fault" OR error="access violation")

📊 Metadata

CVE ID: CVE-2024-47796
CVSS v3 Score: 8.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
EPSS Score: 0.06% exploit probability (19.6th percentile)
Published: January 13, 2025
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47796, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)