CVE-2022-4981 in DCMTK
Summary
by MITRE • 10/21/2025
A vulnerability was detected in DCMTK up to 3.6.7. The impacted element is the function DcmQueryRetrieveConfig::readPeerList of the file /dcmqrcnf.cc of the component dcmqrscp. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit is now public and may be used. Upgrading to version 3.6.8 is sufficient to resolve this issue. The patch is identified as 957fb31e5. Upgrading the affected component is advised.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/31/2025
The vulnerability identified as CVE-2022-4981 affects the DCMTK (DICOM Toolkit) library version 3.6.7 and earlier, specifically within the dcmqrscp component responsible for handling DICOM query/retrieve services. This issue manifests in the DcmQueryRetrieveConfig::readPeerList function located in the /dcmqrcnf.cc source file, representing a critical null pointer dereference flaw that can lead to application crashes and potential system instability. The vulnerability is classified under CWE-476 as a null pointer dereference, which occurs when an application attempts to access memory through a pointer that has not been properly initialized or has been set to null. The attack vector requires local access to the system, making it a privilege escalation vulnerability that could be exploited by malicious users with access to the target machine. This particular flaw exists in the DICOM query/retrieve service configuration handling logic where the application fails to properly validate pointer initialization before dereferencing, creating an exploitable condition that can be triggered through malformed configuration inputs or specific processing sequences.
The operational impact of this vulnerability extends beyond simple application crashes to potentially compromise the integrity of medical imaging systems that rely on DCMTK for DICOM communication protocols. In healthcare environments where DICOM services are critical for patient data exchange between medical devices, PACS systems, and imaging workstations, such a vulnerability could disrupt essential services and potentially lead to data loss or system unavailability during critical medical procedures. The null pointer dereference can cause the dcmqrscp service to terminate unexpectedly, which may result in incomplete DICOM transactions, failed patient data transfers, and disruption of clinical workflows that depend on seamless communication between medical imaging systems. This vulnerability is particularly concerning in enterprise healthcare settings where multiple DICOM services operate concurrently and any service disruption can cascade across interconnected medical imaging networks.
The exploit for this vulnerability has been made publicly available, which significantly increases the risk exposure for systems running affected versions of DCMTK. The patch identified as 957fb31e5 specifically addresses the null pointer dereference issue in the readPeerList function by implementing proper pointer validation and initialization checks before any memory access operations. Security practitioners should note that this vulnerability aligns with ATT&CK technique T1059.007 for command and scripting interpreter, as the exploitation may involve crafting specific DICOM configuration inputs or command sequences that trigger the vulnerable code path. Organizations should prioritize immediate remediation by upgrading to DCMTK version 3.6.8, which contains the necessary code modifications to prevent the null pointer dereference condition. The remediation process should include thorough testing of the upgraded system to ensure that DICOM query/retrieve services continue to function correctly while eliminating the potential for exploitation.
The broader implications of this vulnerability highlight the importance of maintaining up-to-date medical imaging software in healthcare environments, where system reliability and data integrity are paramount. This issue demonstrates how seemingly minor code flaws in library components can have significant operational consequences in mission-critical systems, particularly those handling sensitive medical data. Organizations should implement comprehensive vulnerability management processes that include regular security assessments of medical imaging infrastructure, proper patch deployment procedures, and monitoring for publicly available exploits targeting healthcare technology stacks. The vulnerability also underscores the need for robust input validation and error handling in medical device communication protocols, as proper pointer management and initialization checks could have prevented this specific null pointer dereference scenario. Security teams should consider implementing additional monitoring for abnormal service termination patterns in DICOM services and establish incident response procedures specifically tailored for healthcare information technology environments where such disruptions could have serious consequences for patient care delivery.