CVE-2026-3650
Received Received - Intake
Memory Leak in GDCM Library Causes Denial of Service

Publication date: 2026-03-26

Last updated on: 2026-03-26

Assigner: ICS-CERT

Description
A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed DICOM files with non-standard VR types in file meta information. The vulnerability leads to vast memory allocations and resource depletion, triggering a denial-of-service condition. A maliciously crafted file can fill the heap in a single read operation without properly releasing it.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3650
EUVD
EUVD-2026-16450
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
grassroots_dicom gdcm *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a memory leak in the Grassroots DICOM library (GDCM). It happens when the library parses malformed DICOM files that contain non-standard VR (Value Representation) types in the file meta information.

Because of this bug, the library allocates a large amount of memory without properly releasing it, which can quickly consume system resources.

A specially crafted malicious file can cause the heap memory to fill up in a single read operation, leading to resource depletion.

This ultimately triggers a denial-of-service (DoS) condition, making the affected system or application unavailable.

Impact Analysis

The vulnerability can cause a denial-of-service condition by exhausting system memory resources.

If an attacker provides a maliciously crafted DICOM file, it can cause the affected application or system using the Grassroots DICOM library to crash or become unresponsive.

This can disrupt normal operations, potentially leading to downtime or loss of availability of critical services that rely on processing DICOM files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3650. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart