Grassroots DICOM (GDCM)

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-083-01.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow an attacker to send a specially crafted file, and when parsed, could result in a denial-of-service condition. /strong /p p The following versions of Grassroots DICOM (GDCM) are affected: /p ul li Grassroots DICOM (GDCM) 3.2.2 (CVE-2026-3650) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 7.5 /td td Grassroots /td td Grassroots DICOM (GDCM) /td td Missing Release of Memory after Effective Lifetime /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Healthcare and Public Health /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong United States /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-3650 /a /h3 div class= csaf-accordion-content p A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed DICOM files with non-standard VR types in file meta information. The vulnerability leads to vast memory allocations and resource depletion, triggering a denial-of-service condition. A maliciously crafted file can fill the heap in a single read operation without properly releasing it. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-3650 View CVE Details /a /p hr h4 Affected Products /h4 h5 Grassroots DICOM (GDCM) /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Grassroots /div div class= ics-version strong Product Version: /strong br Grassroots Grassroots DICOM (GDCM): 3.2.2 /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br The maintainer of Grassroots DICOM (GDCM) has not responded to requests to work with CISA to mitigate this vulnerability. For update information refer to the software page on SourceForge. /p p strong Mitigation /strong br https://sourceforge.net/projects/gdcm/. br a href= https://sourceforge.net/projects/gdcm/ https://sourceforge.net/projects/gdcm/ /a /p /div p strong Relevant CWE: /strong a href= https://cwe.mitre.org/data/definitions/401.html CWE-401 Missing Release of Memory after Effective Lifetime /a /p hr h4 Metrics /h4 div class= csaf-table csaf-metrics-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priorit