Critical Memory Leak in GDCM 3.2.2 Triggers DoS Attacks—Patch Now

A critical memory leak vulnerability (**CVE-2026-3650**) in **Grassroots DICOM (GDCM) 3.2.2** allows attackers to exploit malformed DICOM files, leading to denial-of-service (DoS) conditions. The flaw, rated **7.5 (High)**, affects healthcare systems worldwide. No official patch is available yet, but mitigation steps can reduce risks.

---
title: "Critical Memory Leak in GDCM 3.2.2 Triggers DoS Attacks—Patch Now"
short_title: "GDCM 3.2.2 memory leak flaw enables DoS attacks"
description: "A high-severity memory leak in Grassroots DICOM (GDCM) 3.2.2 allows attackers to cause denial-of-service (DoS) conditions. Learn mitigation steps and impact."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [gdcm, cve-2026-3650, memory-leak, dos, healthcare-security]
score: 0.78
cve_ids: [CVE-2026-3650]
---

TL;DR

A critical memory leak vulnerability (CVE-2026-3650) in Grassroots DICOM (GDCM) 3.2.2 allows attackers to exploit malformed DICOM files, leading to denial-of-service (DoS) conditions. The flaw, rated 7.5 (High), affects healthcare systems worldwide. No official patch is available yet, but mitigation steps can reduce risks.

---

Main Content

Introduction

Cybersecurity researchers have uncovered a high-severity memory leak vulnerability in Grassroots DICOM (GDCM) 3.2.2, a widely used library for medical imaging. The flaw (CVE-2026-3650) enables attackers to craft malicious DICOM files that trigger uncontrolled memory allocations, ultimately causing system crashes and denial-of-service (DoS) conditions. Given its deployment in healthcare and public health sectors, this vulnerability poses significant risks to critical infrastructure.

---

Key Points

- Vulnerability: Memory leak in GDCM 3.2.2 due to improper handling of malformed DICOM files.
- Impact: Exploitable for DoS attacks, disrupting healthcare imaging systems.
- Severity: CVSS 7.5 (High)—no user interaction or privileges required.
- Affected Systems: GDCM 3.2.2, deployed globally in healthcare environments.
- Mitigation: No official patch yet; users advised to monitor updates and implement network-level protections.

---

Technical Details

The vulnerability stems from missing memory release after effective lifetime (CWE-401) in GDCM’s file parsing logic. When the library processes DICOM files with non-standard Value Representation (VR) types in meta information, it fails to deallocate memory properly. This leads to:
- Excessive heap allocations in a single read operation.
- Resource depletion, causing system instability or crashes.
- Remote exploitation via crafted files, requiring no authentication.

The flaw was reported by Volodymyr Bihunenko, Mykyta Mudryi, and Markiian Chaklosh of ARIMLABS to CISA.

---

Impact Assessment

#### Sectors at Risk
- Healthcare and Public Health (HPH): GDCM is integral to medical imaging systems, including PACS (Picture Archiving and Communication Systems) and DICOM viewers.
- Global Deployment: The library is used worldwide, with concentrations in the United States, Europe, and Asia.

#### Exploitation Consequences
- Operational Disruption: DoS attacks could halt diagnostic services, delaying patient care.
- Data Integrity Risks: While the flaw doesn’t directly expose data, prolonged outages may lead to backup failures or data corruption.
- Compliance Violations: Healthcare providers may face regulatory penalties for unpatched critical vulnerabilities.

---

Mitigation Steps

#### Immediate Actions
1. Monitor Network Exposure:
- Ensure GDCM systems are not accessible via the internet.
- Use firewalls to isolate medical imaging networks from business systems.
2. Restrict File Inputs:
- Validate DICOM files from untrusted sources before processing.
- Implement sandboxing for file parsing operations.
3. Leverage VPNs for Remote Access:
- Use updated Virtual Private Networks (VPNs) for secure remote connections.

#### Long-Term Solutions
- Track Official Updates: Monitor the [GDCM SourceForge page](https://sourceforge.net/projects/gdcm/) for patches.
- Apply Defense-in-Depth Strategies: Follow CISA’s ICS cybersecurity recommendations for layered protections.
- Incident Reporting: Report suspicious activity to CISA for coordination.

---

Affected Systems

| Vendor | Product | Version | Status |
|---------------|---------------------------|-------------------|--------------------|
| Grassroots | Grassroots DICOM (GDCM) | 3.2.2 | Known Affected |

---

Conclusion

The CVE-2026-3650 memory leak in GDCM 3.2.2 highlights the growing cybersecurity risks in healthcare IT. While no patch is currently available, organizations must proactively secure their systems through network segmentation, file validation, and vigilant monitoring. Given the high severity of this flaw, healthcare providers should prioritize mitigation efforts to prevent potential DoS attacks and ensure uninterrupted patient care.

---

References

[^1]: CISA. "[ICSM Advisory: Grassroots DICOM (GDCM) Memory Leak Vulnerability](https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-083-01)". Retrieved 2024-10-02.
[^2]: MITRE. "[CWE-401: Missing Release of Memory after Effective Lifetime](https://cwe.mitre.org/data/definitions/401.html)". Retrieved 2024-10-02.
[^3]: Grassroots DICOM. "[GDCM SourceForge Page](https://sourceforge.net/projects/gdcm/)". Retrieved 2024-10-02.