Grassroots DICOM (GDCM)

Monitor7.5ICS-CERT ICSMA-26-083-01Mar 24, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Grassroots DICOM (GDCM) library version 3.2.2 contains a vulnerability (CWE-401) that allows denial-of-service attacks when parsing specially crafted DICOM files. The vulnerability results in application crashes or unresponsiveness. The maintainer has not responded to mitigation requests, and no patch has been released. The CVSS v3.1 score is 7.5 (high severity).

What this means

What could happen

An attacker could send a malformed DICOM medical image file that causes the GDCM library to crash or become unresponsive, disrupting image processing pipelines and potentially delaying patient care workflows in radiology and imaging departments.

Who's at risk

Healthcare organizations using GDCM in medical imaging systems, particularly radiology departments, Picture Archiving and Communication Systems (PACS), and any clinical workstations that process DICOM medical images should assess their exposure and prioritize mitigation.

How it could be exploited

An attacker crafts a malicious DICOM file and delivers it to a system running GDCM (e.g., through a Picture Archiving and Communication System, a medical imaging workstation, or a file upload interface). When GDCM parses the file, the vulnerability triggers a denial-of-service condition that stops image processing.

Prerequisites

GDCM library version 3.2.2 installed on the target system
The application must attempt to parse or process untrusted DICOM files
Network or local access to deliver the malicious DICOM file to the system

remotely exploitableno authentication requiredlow complexityno patch availableaffects patient care workflows

Affected products (1)

ProductAffected VersionsFix Status

Grassroots DICOM (GDCM): 3.2.23.2.2No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDDisable or restrict DICOM file uploads from external sources where possible; validate file integrity before processing

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor SourceForge GDCM project page for updates and security patches; apply any released fixes immediately

Mitigations - no patch available

0/2

Grassroots DICOM (GDCM): 3.2.2 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to restrict access to imaging systems and file upload interfaces from untrusted networks

HARDENINGMonitor GDCM applications for crashes or service interruptions; implement alerting on imaging system failures

CVEs (1)

CVE-2026-3650

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/82b226fb-2b98-4ce7-a31d-6ed153ab285f