CVE-2026-3650
Memory Leak in GDCM Library Causes Denial of Service
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grassroots_dicom | gdcm | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a memory leak in the Grassroots DICOM library (GDCM). It happens when the library parses malformed DICOM files that contain non-standard VR (Value Representation) types in the file meta information.
Because of this bug, the library allocates a large amount of memory without properly releasing it, which can quickly consume system resources.
A specially crafted malicious file can cause the heap memory to fill up in a single read operation, leading to resource depletion.
This ultimately triggers a denial-of-service (DoS) condition, making the affected system or application unavailable.
How can this vulnerability impact me? :
The vulnerability can cause a denial-of-service condition by exhausting system memory resources.
If an attacker provides a maliciously crafted DICOM file, it can cause the affected application or system using the Grassroots DICOM library to crash or become unresponsive.
This can disrupt normal operations, potentially leading to downtime or loss of availability of critical services that rely on processing DICOM files.