There are 5 open security issues in bookworm.
5 issues left for the package maintainer to handle:
- CVE-2026-35505:
(postponed; to be fixed through a stable update)
An unauthenticated remote attacker can repeatedly send crafted connection requests to leak memory. In single-process deployments the memory grows until the service is killed and the port stops responding until restart.
- CVE-2026-44628:
(postponed; to be fixed through a stable update)
An unauthenticated attacker can crash the worklist server with a single crafted query when the server has a valid Called AE Title / storage directory, the expected lockfile, and at least one matching worklist record.
- CVE-2026-50003:
(postponed; to be fixed through a stable update)
A malicious or compromised server can make a DCMTK client using bit-preserving C-GET storage mode write files outside the chosen output directory, using both relative (../) paths and absolute paths.
- CVE-2026-50254:
(postponed; to be fixed through a stable update)
An unauthenticated remote attacker can repeatedly send a single crafted connection request to leak memory. Against storescp in its default single-process mode, memory grows quickly and the service is eventually killed, after which it stops accepting connections until an operator restarts it.
- CVE-2026-52868:
(postponed; to be fixed through a stable update)
An unauthenticated attacker can read worklist records from a directory outside the intended per-AE worklist storage area. In a multi-area deployment, this can cross departmental or clinic data separation.
You can find information about how to handle these issues in the security team's documentation.