CVE-2026-3650

HIGH 7.5

Grassroots DICOM Missing release of memory after effective lifetime

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

15th

A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed DICOM files with non-standard VR types in file meta information. The vulnerability leads to vast memory allocations and resource depletion, triggering a denial-of-service condition. A maliciously crafted file can fill the heap in a single read operation without properly releasing it.

CWE	CWE-401
Vendor	grassroots
Product	grassroots dicom (gdcm)
Published	Mar 26, 2026
Last Updated	Mar 27, 2026

Stay Ahead of the Next One

Get instant alerts for grassroots grassroots dicom (gdcm)

Be the first to know when new high vulnerabilities affecting grassroots grassroots dicom (gdcm) are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

Grassroots / Grassroots DICOM (GDCM)

3.2.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

sourceforge.net: https://sourceforge.net/projects/gdcm/ cisa.gov: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-083-01 github.com: https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-083-01.json

Credits

Volodymyr Bihunenko, Mykyta Mudryi, and Markiian Chaklosh of ARIMLABS reported this vulnerability to CISA