{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3650", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-03-06T16:24:00.662Z", "datePublished": "2026-03-26T21:10:30.864Z", "dateUpdated": "2026-03-26T21:10:30.864Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-26T21:10:30.864Z"}, "title": "Grassroots DICOM Missing release of memory after effective lifetime", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-401", "description": "CWE-401", "type": "CWE"}]}], "affected": [{"vendor": "Grassroots", "product": "Grassroots DICOM (GDCM)", "versions": [{"status": "affected", "version": "3.2.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed DICOM files with non-standard VR types in file meta information. The vulnerability leads to vast memory allocations and resource depletion, triggering a denial-of-service condition. A maliciously crafted file can fill the heap in a single read operation without properly releasing it.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed DICOM files with non-standard VR types in file meta information. The vulnerability leads to vast memory allocations and resource depletion, triggering a denial-of-service condition. A maliciously crafted file can fill the heap in a single read operation without properly releasing it."}]}], "references": [{"url": "https://sourceforge.net/projects/gdcm/"}, {"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-083-01"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-083-01.json"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "workarounds": [{"lang": "en", "value": "The maintainer of Grassroots DICOM (GDCM) has not responded to \nrequests to work with CISA to mitigate this vulnerability. For update \ninformation refer to the software page on SourceForge.\n\n https://sourceforge.net/projects/gdcm/", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>The maintainer of Grassroots DICOM (GDCM) has not responded to \nrequests to work with CISA to mitigate this vulnerability. For update \ninformation refer to the software page on SourceForge.</p><p><a href=\"https://sourceforge.net/projects/gdcm/\" title=\"(opens in a new window)\">https://sourceforge.net/projects/gdcm/</a></p>"}]}], "credits": [{"lang": "en", "value": "Volodymyr Bihunenko, Mykyta Mudryi, and Markiian Chaklosh of ARIMLABS reported this vulnerability to CISA", "type": "finder"}], "source": {"advisory": "ICSMA-26-083-01", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed DICOM files with non-standard VR types in file meta information. The vulnerability leads to vast memory allocations and resource depletion, triggering a denial-of-service condition. A maliciously crafted file can fill the heap in a single read operation without properly releasing it."}], "id": "CVE-2026-3650", "lastModified": "2026-03-26T22:16:31.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-03-26T22:16:31.370", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-083-01.json"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://sourceforge.net/projects/gdcm/"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-083-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{"bugzilla": {"description": "gdcm: GDCM: Denial of Service via malformed DICOM files", "id": "2451988", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451988"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in the Grassroots DICOM library (GDCM). This memory leak vulnerability occurs when the library processes maliciously crafted DICOM files containing non-standard value representation (VR) types in their file meta-information. A remote attacker can exploit this by providing such a file, leading to vast memory allocations and resource depletion. This can trigger a denial-of-service condition, making the affected system unavailable."], "name": "CVE-2026-3650", "public_date": "2026-03-26T21:10:30Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3650\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3650\nhttps://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-083-01.json\nhttps://sourceforge.net/projects/gdcm/\nhttps://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-083-01"], "statement": "A memory leak flaw in the Grassroots DICOM library (GDCM) can lead to a denial-of-service condition. This MODERATE vulnerability occurs when the library processes maliciously crafted DICOM files containing non-standard value representation types in their file meta-information. Red Hat products that utilize GDCM and process untrusted DICOM files are affected.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.2.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Grassroots DICOM (GDCM)", "source": "cna", "vendor": "Grassroots"}, "product": "grassroots_dicom", "vendor": "grassroots"}], "analysis": {"en": {"generated_at": "2026-03-27T06:38:53.452369+00:00", "value": {"mitigation_remediation": ["Upgrade the Grassroots DICOM library to the latest release available on SourceForge or apply any vendor\u2011issued patch.", "If no update is available, block or refuse the processing of DICOM files that contain non\u2011standard VR types from untrusted sources.", "Implement application\u2011level validation or quarantine to prevent the ingestion of malformed DICOM files until a patch is available.", "Monitor memory utilization on servers running GDCM and set alerts for sudden heap growth."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Grassroots DICOM (GDCM), developed by the Grassroots project, is the affected suite. No specific version range is listed in the advisory, meaning that any deployment of GDCM that has not been confirmed patched could be at risk. Updated releases and additional information can be obtained from the project's SourceForge page.", "description_and_impact": "A memory leak has been identified in the Grassroots DICOM (GDCM) library. The flaw arises when the library parses malformed DICOM files containing non\u2011standard Value Representation (VR) types in the file meta information section. As a result, large amounts of memory are allocated and never released, causing the heap to be exhausted in a single read operation and ultimately leading to a denial\u2011of\u2011service condition. This bug directly maps to the CWE identifiers for memory leak (CWE\u2011401) and resource exhaustion (CWE\u2011770).", "risk_and_exploitability": "The CVSS score of 8.7 qualifies this flaw as high severity, and while an EPSS value is unavailable, its potential for causing out\u2011of\u2011memory conditions makes exploitation practically relevant. Because the fault is triggered during the parsing of a DICOM file, the likely attack vector is delivery of a crafted file through the DICOM service or via an application that imports or processes DICOM data. Without an official fix yet publicly disclosed, users should treat this as a high\u2011risk issue and proactively lock down or postpone usage of the affected library until a patched version is released."}}}}, "created": "2026-03-27T08:31:48.358577+00:00", "updated": "2026-03-27T09:23:15.388970+00:00", "vendors": ["grassroots", "grassroots$PRODUCT$grassroots_dicom"]}