The Healthcare and Public Health sector is facing a critical risk following the release of CISA advisory ICSMA-26-181-01. The OFFIS DCMTK (DICOM Toolkit), a foundational library widely used in medical imaging devices (PACS, viewers, and modalities), contains multiple severe vulnerabilities.
With a CVSS v3 score of 9.8, these flaws—tracked as CVE-2026-50003, CVE-2026-50254, CVE-2026-35505, CVE-2026-52868, and CVE-2026-44628—affect versions 3.7.0 and earlier. Successful exploitation allows attackers to write files to arbitrary locations (Path Traversal), exhaust memory resources, or crash critical services via Type Confusion. For defenders, the immediate challenge is that DCMTK is often an embedded component within proprietary medical devices, making patching a complex supply-chain coordination effort rather than a simple software update.
Technical Analysis
Affected Component: OFFIS DCMTK Toolkit (DICOM Toolkit) Affected Versions: DCMTK <= 3.7.0 Critical Infrastructure Sector: Healthcare and Public Health Severity: CVSS v3 9.8 (CRITICAL)
The DCMTK toolkit implements the DICOM (Digital Imaging and Communications in Medicine) standard. It is ubiquitous in hospital environments, facilitating the exchange and management of medical images. The vulnerabilities identified allow for three primary attack vectors:
- Path Traversal (CVE-2026-50003): An attacker can manipulate directory paths in DICOM messages to write files outside of the intended restricted directory. This can lead to remote code execution (RCE) if an attacker can overwrite executables or configuration files, or simply data corruption.
- Memory Exhaustion (CVE-2026-50254, CVE-2026-52868): Missing release of memory after effective lifetime allows an attacker to exhaust available system resources (RAM), leading to a Denial of Service (DoS). In a hospital environment, downtime of imaging systems directly impacts patient care.
- Type Confusion (CVE-2026-35505) & Crashes (CVE-2026-44628): Accessing resources using incompatible types can destabilize the application, leading to process termination.
Exploitation Status: While CISA has not confirmed active exploitation in the wild at the time of this advisory, the 9.8 CVSS score and the prevalence of DICOM ports (typically 104/TCP or 11112/TCP) exposed on hospital networks make this a high-value target for automated scanners and ransomware operators.
Detection & Response
Because DCMTK is a library embedded in third-party medical software, you cannot simply scan for "dcmtk.exe." Defenders must hunt for the behaviors of the vulnerable components and the symptoms of exploitation, such as unusual file access patterns or service instability.
SIGMA Rules
The following rules detect potential path traversal activity in logs and application crashes indicative of type confusion or memory exhaustion.
---
title: Potential Path Traversal in Medical Imaging Services
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects potential path traversal patterns in process command lines or script arguments, often indicative of exploits targeting CVE-2026-50003 in embedded toolkits.
author: Security Arsenal
date: 2026/04/06
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|contains:
- '../'
- '..\'
filter_medical:
Image|contains:
- 'dcm'
- 'dicom'
- 'pacs'
- 'image'
condition: selection and filter_medical
falsepositives:
- Legitimate administrative scripts referencing parent directories
level: high
---
title: Medical Imaging Service Crash or OOM Event
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
status: experimental
description: Detects Out of Memory (OOM) killer or segmentation fault events in processes associated with medical imaging, potentially indicating exploitation of CVE-2026-50254 or CVE-2026-35505.
author: Security Arsenal
date: 2026/04/06
tags:
- attack.impact
- attack.t1499
logsource:
product: linux
service: syslog
detection:
selection_keywords:
Message|contains:
- 'Out of memory'
- 'segfault'
- 'killed process'
selection_imaging:
Message|contains:
- 'dcm'
- 'dicom'
condition: all of selection_*
falsepositives:
- General system instability or hardware faults
level: medium
KQL (Microsoft Sentinel / Defender)
Hunt for segmentation faults or OOM kills involving DICOM-related processes ingested via Syslog or CEF.
Syslog
| where ProcessName contains "dcm" or ProcessName contains "dicom" or ProcessName contains "pacs"
| where SyslogMessage has "segfault" or SyslogMessage has "Out of memory" or SyslogMessage has "killed process"
| project TimeGenerated, Computer, ProcessName, SyslogMessage, FacilitySeverity
| sort by TimeGenerated desc
Velociraptor VQL
Hunt for the presence of the vulnerable shared libraries (libdcmnet.so, dcmdata.dll) on endpoints to identify assets requiring vendor patch coordination.
-- Hunt for DCMTK library files on Linux endpoints
SELECT FullPath, Size, Mtime
FROM glob(globs='/usr/lib/**/libdcm*', '/usr/local/lib/**/libdcm*', '/opt/*/lib*/libdcm*')
WHERE NOT FullPath =~ '\.pyc$'
Remediation Script
Use this Bash script to scan Linux-based medical appliances or servers for installed DCMTK libraries and check their version strings.
#!/bin/bash
# Scan for OFFIS DCMTK libraries to identify vulnerable versions (<= 3.7.0)
# Requires root privileges for full filesystem access
echo "[*] Scanning for DCMTK libraries..."
# Find common DCMTK library files
find /usr /opt /local /var/lib -name "libdcmnet.so*" -o -name "libdcmdata.so*" -o -name "dcmtk" 2>/dev/null | while read -r file; do
echo "[+] Found library: $file"
# Extract version info using strings if available
if command -v strings >/dev/null 2>&1; then
version=$(strings "$file" | grep -i "OFFIS DCMTK" | head -n 1)
if [ -n "$version" ]; then
echo " Version String: $version"
# Check for vulnerable versions (simplified string match)
if echo "$version" | grep -qE "(3\.[0-6]\.|3\.7\.0)"; then
echo " [ALERT] Vulnerable version detected!"
fi
else
echo " No version string found in binary."
fi
fi
done
echo "[*] Scan complete."
echo "[!] Action: If vulnerable libraries are found, contact the medical device vendor immediately for an update."
Remediation
- Vendor Coordination: Since DCMTK is embedded, you cannot patch it directly on most medical devices. Identify all affected assets using the detection methods above and contact the device manufacturer (OEM) to request a patched firmware or software version that addresses CVE-2026-50003 and related flaws.
- Network Segmentation: Ensure that DICOM traffic (typically TCP ports 104, 11112, 2761-2762) is strictly isolated. Medical devices should not be reachable from the general enterprise network or the internet.
- Apply Vendor Patches: As patches become available, prioritize updating systems that act as DICOM Nodes (Servers/SCUs) over standalone clients, as the CVSS 9.8 score primarily impacts server-side handling of malicious DICOM objects.
- Monitoring: Increase monitoring on DICOM servers for unexpected file writes in system directories or process crashes, which may indicate active exploitation attempts.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.