---
title: "Critical Vulnerability in Grassroots DICOM (GDCM) Risks Healthcare Systems"
short_title: "GDCM vulnerability threatens healthcare security"
description: "A critical out-of-bounds write vulnerability in Grassroots DICOM (GDCM) could crash medical apps, causing denial-of-service. Patch now to secure healthcare systems."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [gdcm, dicom, cve-2025-11266, healthcare, cybersecurity]
score: 0.75
cve_ids: [CVE-2025-11266]
---
TL;DR
A critical out-of-bounds write vulnerability (CVE-2025-11266) in Grassroots DICOM (GDCM) and related medical imaging tools could allow attackers to crash applications by exploiting maliciously crafted DICOM files. This poses a significant risk to healthcare systems worldwide, potentially disrupting critical services. Users are urged to update to the latest patched versions immediately.
---
Main Content
Introduction
The healthcare sector faces a growing threat from cybersecurity vulnerabilities in medical imaging software. A recently disclosed flaw in Grassroots DICOM (GDCM), a widely used open-source library for handling DICOM (Digital Imaging and Communications in Medicine) files, could allow attackers to trigger denial-of-service (DoS) conditions. This vulnerability, identified as CVE-2025-11266, highlights the urgent need for robust security measures in healthcare infrastructure.
---
Key Points
- Vulnerability Impact: Exploiting this flaw could crash medical imaging applications, leading to disruption of healthcare services.
- Affected Products: Grassroots DICOM (GDCM) versions 3.0.24 and prior, SimpleITK 2.5.2 and prior, and medInria 4.0 and prior.
- Attack Complexity: Low, as simply opening a malicious DICOM file is sufficient to trigger the vulnerability.
- CVSS Scores: 6.6 (CVSS v3.1) and 6.8 (CVSS v4), indicating a high-severity risk.
- Mitigation: Update to GDCM v3.2.2 or later, and apply patches for SimpleITK and medInria.
---
Technical Details
#### Vulnerability Overview
The vulnerability (CVE-2025-11266) is an out-of-bounds write issue in the GDCM library. It occurs during the parsing of malformed DICOM files containing encapsulated PixelData fragments (compressed image data stored as multiple fragments). An unsigned integer underflow in buffer indexing leads to out-of-bounds memory access, resulting in a segmentation fault and application crash.
#### Exploitation Mechanism
Attackers can exploit this flaw by crafting a malicious DICOM file. When opened by a vulnerable application, the file triggers the vulnerability, causing the application to crash. This could lead to a denial-of-service (DoS) condition, disrupting critical healthcare services.
#### Affected Systems
The following products and versions are affected:
- Grassroots DICOM (GDCM): Versions 3.0.24 and prior
- SimpleITK: Versions 2.5.2 and prior
- medInria: Versions 4.0 and prior
---
Impact Assessment
#### Healthcare Sector at Risk
The healthcare and public health sector is particularly vulnerable to this flaw due to its reliance on DICOM files for medical imaging. A successful exploit could disrupt diagnostic services, delay patient care, and compromise the integrity of medical data.
#### Global Deployment
GDCM and related tools are deployed worldwide, making this vulnerability a global concern. Healthcare organizations must act swiftly to mitigate risks and prevent potential exploitation.
#### No Active Exploitation Reported—Yet
As of now, no public exploitation of this vulnerability has been reported. However, the low attack complexity and high impact make it an attractive target for threat actors. Proactive measures are essential to prevent future attacks.
---
Mitigation Steps
#### Immediate Actions
1. Update Software: Users of GDCM should upgrade to [version 3.2.2 or later](https://github.com/malaterre/GDCM/releases/tag/v3.2.2) immediately.
2. Patch Affected Tools: Apply the latest patches for SimpleITK and medInria to address the vulnerability.
3. Isolate Critical Systems: Ensure medical imaging systems are not exposed to the internet and are isolated from business networks.
#### Long-Term Strategies
- Network Security: Locate control system networks behind firewalls and use Virtual Private Networks (VPNs) for remote access.
- Defensive Measures: Follow [CISA’s recommended practices](https://www.cisa.gov/resources-tools/resources/ics-recommended-practices) for industrial control systems (ICS) security.
- User Awareness: Train staff to recognize and avoid social engineering attacks, such as phishing emails with malicious attachments.
---
Attack Vector
The vulnerability is exploitable via file input. Attackers can distribute malicious DICOM files through:
- Email attachments
- Compromised medical imaging databases
- Malicious downloads from untrusted sources
Opening the file in a vulnerable application is sufficient to trigger the exploit.
---
Conclusion
The discovery of CVE-2025-11266 underscores the critical importance of cybersecurity in healthcare. While no active exploitation has been reported, the potential for disruption is significant. Healthcare organizations must prioritize patching affected systems, isolating critical infrastructure, and implementing robust security measures to mitigate risks. By taking proactive steps, the sector can safeguard patient data and ensure the continuity of essential services.
---
References
[^1]: CISA. "[ICS Medical Advisories: ICSMA-25-345-01](https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-345-01)". Retrieved 2025-01-24.
[^2]: MITRE. "[CWE-787: Out-of-bounds Write](https://cwe.mitre.org/data/definitions/787.html)". Retrieved 2025-01-24.
[^3]: Grassroots DICOM. "[GDCM GitHub Repository](https://github.com/malaterre/GDCM)". Retrieved 2025-01-24.