Critical Memory‑Release Bug in Grassroots DICOM Library (GDCM 3.2.2) Risks Hospital Imaging Availability
What Happened – The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on a high‑severity memory‑release vulnerability in the open‑source Grassroots DICOM (GDCM) imaging library, version 3.2.2. The flaw can be triggered remotely without authentication, causing PACS (Picture Archiving and Communication System) servers to crash and potentially taking an entire hospital’s imaging archive offline. No patch is currently available.
Why It Matters for TPRM –
- Imaging systems are core to diagnostic workflows; disruption can affect patient care and regulatory compliance.
- GDCM is bundled with many commercial and custom medical‑device products, creating a hidden supply‑chain exposure for healthcare providers and their vendors.
- The lack of a fix forces organizations to rely on mitigations and heightened monitoring, increasing operational overhead.
Who Is Affected – Healthcare providers (hospitals, imaging centers), medical‑device manufacturers, SaaS imaging platforms, and any third‑party vendors that embed GDCM in their products.
Recommended Actions –
- Inventory all products and services that incorporate GDCM 3.2.2 or earlier.
- Engage vendors to confirm library version and request temporary mitigations (e.g., input validation, network segmentation).
- Increase monitoring for anomalous DICOM file traffic and PACS stability alerts.
- Prioritize patch deployment once an official fix is released; consider alternative libraries if remediation timelines are unacceptable.
Technical Notes – The vulnerability is a “missing release of memory after effective lifetime” (CVE‑2026‑XXXX) that can be exploited by sending crafted DICOM files, leading to memory exhaustion and service crash. The DICOM protocol itself lacks authentication, encryption, and integrity checks, amplifying the risk. No CVE number was disclosed in the source article; placeholder used. Source: DataBreachToday