High‑Impact DoS in Grassroots DICOM (GDCM) 3.2.2 (CVE‑2026‑3650) Threatens Healthcare Imaging Systems
What It Is – A memory‑leak vulnerability (CVE‑2026‑3650) in the open‑source Grassroots DICOM (GDCM) library allows an attacker to craft a malformed DICOM file that, when parsed, allocates massive heap memory and never releases it, causing a denial‑of‑service (DoS).
Exploitability – No public exploit code has been released, but the attack requires only the ability to deliver a malicious DICOM file to a system that uses GDCM. CVSS v3.1 base score 7.5 (High).
Affected Products – Grassroots DICOM (GDCM) library version 3.2.2 (vendor: Grassroots).
TPRM Impact – Any third‑party that embeds GDCM in medical imaging pipelines, PACS, radiology SaaS, or embedded device firmware inherits the DoS risk. A disruption could cascade to hospitals, tele‑health platforms, and downstream analytics services, creating a supply‑chain availability threat.
Recommended Actions –
- Inventory all assets that incorporate GDCM 3.2.2 (including third‑party SaaS and device firmware).
- Prioritize upgrading to a patched version or switching to an alternative DICOM library.
- Apply runtime hardening: enforce strict file‑type validation, limit memory allocation per parse, and monitor for abnormal heap growth.
- Engage with the library maintainer and CISA for remediation guidance.
- Update third‑party risk registers to reflect the new DoS exposure.
Source: CISA Advisory – ICSMA‑26‑083‑01