CVE-2026-3650

Summary

A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed DICOM files with non-standard VR types in file meta information. The vulnerability leads to vast memory allocations and resource depletion, triggering a denial-of-service condition. A maliciously crafted file can fill the heap in a single read operation without properly releasing it.

Affected Software

VendorProductVersion RangeStatus
GrassrootsGrassroots DICOM (GDCM)3.2.2affected

Weaknesses

  • CWE-401: CWE-401

Workarounds

The maintainer of Grassroots DICOM (GDCM) has not responded to requests to work with CISA to mitigate this vulnerability. For update information refer to the software page on SourceForge.

https://sourceforge.net/projects/gdcm/

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References