Critical Vulnerability in Grassroots DICOM (GDCM) Detected
Critical Vulnerability in Grassroots DICOM (GDCM) Detected 🚨
A significant vulnerability has been identified in the Grassroots DICOM library (GDCM) that could allow attackers to exploit it through specially crafted files. When these files are parsed, they can lead to a denial-of-service condition. This issue arises from a memory leak when handling malformed DICOM files with non-standard VR types in file meta information.
Key Details:
- Affected Version: Grassroots DICOM (GDCM) 3.2.2 (CVE-2026-3650)
- Impact: Vast memory allocations and resource depletion, potentially filling the heap in a single read operation without proper release.
- Reported By: Volodymyr Bihunenko, Mykyta Mudryi, and Markiian Chaklosh of ARIMLABS.
- Relevant CWE: CWE-401 Missing Release of Memory after Effective Lifetime.
Affected Sectors:
- Critical Infrastructure: Healthcare and Public Health
- Deployment: Worldwide
The maintainer of GDCM has not responded to CISA’s requests for collaboration on mitigating this vulnerability. Currently, there are no known public exploitations targeting this issue.
Recommendations:
CISA advises users to take defensive measures to minimize the risk of exploitation:
- Minimize network exposure for all control system devices.
- Ensure devices are not accessible from the internet.
- Use firewalls to isolate control system networks from business networks.
- When remote access is necessary, utilize secure methods like Virtual Private Networks (VPNs).
Organizations should perform proper impact analysis and risk assessments before implementing defensive measures. Any suspected malicious activity should be reported to CISA for tracking and correlation against other incidents.
For more information, refer to the software page on SourceForge.