CVE-2026-3650 - Vulnerability Details

- Grassroots DICOM Missing release of memory after effective lifetime

Description

A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed DICOM files with non-standard VR types in file meta information. The vulnerability leads to vast memory allocations and resource depletion, triggering a denial-of-service condition. A maliciously crafted file can fill the heap in a single read operation without properly releasing it.

Published: 2026-03-26

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A memory leak has been identified in the Grassroots DICOM (GDCM) library. The flaw arises when the library parses malformed DICOM files containing non‑standard Value Representation (VR) types in the file meta information section. As a result, large amounts of memory are allocated and never released, causing the heap to be exhausted in a single read operation and ultimately leading to a denial‑of‑service condition. This bug directly maps to the CWE identifiers for memory leak (CWE‑401) and resource exhaustion (CWE‑770).

Affected Systems

Grassroots DICOM (GDCM), developed by the Grassroots project, is the affected suite. No specific version range is listed in the advisory, meaning that any deployment of GDCM that has not been confirmed patched could be at risk. Updated releases and additional information can be obtained from the project's SourceForge page.

Risk and Exploitability

The CVSS score of 8.7 qualifies this flaw as high severity, and while an EPSS value is unavailable, its potential for causing out‑of‑memory conditions makes exploitation practically relevant. Because the fault is triggered during the parsing of a DICOM file, the likely attack vector is delivery of a crafted file through the DICOM service or via an application that imports or processes DICOM data. Without an official fix yet publicly disclosed, users should treat this as a high‑risk issue and proactively lock down or postpone usage of the affected library until a patched version is released.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Grassroots

Grassroots DICOM (GDCM)

unaffected

Version	Status	Constraints
`3.2.2`	affected	—

No data.

Vendor Product Confidence Versions

Grassroots

Grassroots Dicom

100%

Version	Status	Scheme	Platform
`3.2.2`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

The maintainer of Grassroots DICOM (GDCM) has not responded to requests to work with CISA to mitigate this vulnerability. For update information refer to the software page on SourceForge. https://sourceforge.net/projects/gdcm/

OpenCVE Recommended Actions

Upgrade the Grassroots DICOM library to the latest release available on SourceForge or apply any vendor‑issued patch.
If no update is available, block or refuse the processing of DICOM files that contain non‑standard VR types from untrusted sources.
Implement application‑level validation or quarantine to prevent the ingestion of malformed DICOM files until a patch is available.
Monitor memory utilization on servers running GDCM and set alerts for sudden heap growth.

Generated by OpenCVE AI on March 27, 2026 at 06:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0007.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-083-01.json
https://nvd.nist.gov/vuln/detail/CVE-2026-3650
https://sourceforge.net/projects/gdcm/
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-083-01
https://www.cve.org/CVERecord?id=CVE-2026-3650

History

Fri, 27 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Grassroots Grassroots grassroots Dicom
Vendors & Products		Grassroots Grassroots grassroots Dicom

Fri, 27 Mar 2026 04:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770
References		https://nvd.nist.gov/vuln/detail/CVE-2026-3650 https://www.cve.org/CVERecord?id=CVE-2026-3650
Metrics	threat_severity `None`	threat_severity `Moderate`

Thu, 26 Mar 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed DICOM files with non-standard VR types in file meta information. The vulnerability leads to vast memory allocations and resource depletion, triggering a denial-of-service condition. A maliciously crafted file can fill the heap in a single read operation without properly releasing it.
Title		Grassroots DICOM Missing release of memory after effective lifetime
Weaknesses		CWE-401
References		https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-083-01.json https://sourceforge.net/projects/gdcm/ https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-083-01
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Grassroots Grassroots Dicom

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2026-03-26T21:10:30.864Z

Updated: 2026-03-27T19:39:21.092Z

Reserved: 2026-03-06T16:24:00.662Z

Link: CVE-2026-3650

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-26T22:16:31.370

Modified: 2026-03-30T13:26:29.793

Link: CVE-2026-3650

Redhat

Severity : Moderate

Publid Date: 2026-03-26T21:10:30Z

Links: CVE-2026-3650 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T09:23:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object