OTPulse

Grassroots DICOM (GDCM)

MonitorCVSS 7.5ICS-CERT ICSMA-26-083-01Mar 24, 2026
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A vulnerability in Grassroots DICOM (GDCM) version 3.2.2 allows an attacker to send a specially crafted DICOM file that, when parsed, causes a denial-of-service condition in applications using the library. The maintainer has not responded to remediation requests and no fix is planned. The issue affects medical imaging applications across healthcare facilities that depend on GDCM for DICOM file processing.

What this means
What could happen
An attacker could send a malicious DICOM file that crashes the GDCM library, causing medical imaging applications using this library to become unavailable. This could disrupt patient diagnosis and treatment workflows in healthcare facilities.
Who's at risk
Healthcare facilities, hospitals, and diagnostic imaging centers that rely on GDCM-based DICOM viewers or processing tools to manage and analyze medical images. Any institution using medical imaging software built on the Grassroots DICOM library is affected.
How it could be exploited
An attacker with network access to a system running GDCM crafts a specially formatted DICOM medical image file and sends it for processing. When the vulnerable GDCM library parses the malicious file, it triggers a denial-of-service condition that crashes the application.
Prerequisites
  • Network access to a system running GDCM
  • Target system must process DICOM files from untrusted sources or network-accessible DICOM services
  • GDCM version 3.2.2 must be in use
remotely exploitableno authentication requiredlow complexityno patch availableaffects safety systems
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (1)
ProductAffected VersionsFix Status
Grassroots DICOM (GDCM): 3.2.23.2.2No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDRestrict network access to systems running GDCM to only trusted DICOM sources and medical devices
WORKAROUNDImplement input validation on DICOM files before processing through GDCM
Mitigations - no patch available
0/2
Grassroots DICOM (GDCM): 3.2.2 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGEvaluate alternative DICOM libraries that are actively maintained and have patch support
HARDENINGMonitor SourceForge GDCM project for community patches or forks with security updates
View full CISA ICS-CERT advisory
API: /api/v1/advisories/82b226fb-2b98-4ce7-a31d-6ed153ab285f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Grassroots DICOM (GDCM) | CVSS 7.5 - OTPulse