CVE-2025-11266
6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
Summary
An out-of-bounds write vulnerability exists in the Grassroots DICOM library (GDCM). The issue is triggered during parsing of a malformed DICOM file containing encapsulated PixelData fragments (compressed image data stored as multiple fragments). This vulnerability leads to a segmentation fault caused by an out-of-bounds memory access due to unsigned integer underflow in buffer indexing. It is exploitable via file input, simply opening a crafted malicious DICOM file is sufficient to trigger the crash, resulting in a denial-of-service condition.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Grassroots | DICOM (GDCM) | 0 <= 3.0.24 | affected |
| NumFocus | SimpleITK | 0 <= 2.5.2 | affected |
| medInria | medInria | 0 <= 4.0 | affected |
Weaknesses
- CWE-787: CWE-787 Out-of-bounds Write
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
References
- https://github.com/malaterre/GDCM/releases/tag/v3.2.2
- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-345-01
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsma-25-345-01.json
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.