PatchSiren cyber security CVE debrief
CVE-2025-11266 Grassroots CVE debrief
CVE-2025-11266 is a medium-severity memory-safety flaw in Grassroots DICOM (GDCM) that can be triggered by opening a crafted DICOM file. The advisory says malformed encapsulated PixelData fragments can cause an unsigned integer underflow in buffer indexing, leading to an out-of-bounds memory access and segmentation fault. In practical terms, this is a denial-of-service issue for software that parses untrusted DICOM content.
- Vendor
- Grassroots
- Product
- SimpleITK
- CVSS
- MEDIUM 6.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-11
- Original CVE updated
- 2025-12-11
- Advisory published
- 2025-12-11
- Advisory updated
- 2025-12-11
Who should care
Teams running software that embeds or depends on GDCM, including SimpleITK and medInria deployments, should care most. This is especially relevant for imaging workflows that accept DICOM files from outside the organization or from less-trusted sources.
Technical summary
The source advisory describes an out-of-bounds write in the Grassroots DICOM library during parsing of malformed DICOM files containing encapsulated PixelData fragments. The failure mode is an unsigned integer underflow in buffer indexing, which can produce an out-of-bounds memory access and segmentation fault. The issue is exploitable through file input alone; simply opening a crafted malicious DICOM file is sufficient to trigger the crash. The supplied CVSS v3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H, and the score is 6.6 (Medium).
Defensive priority
Medium. The issue is limited to file-triggered denial of service in the supplied advisory, but it affects parsing of untrusted medical imaging content and can be triggered by opening a malicious file.
Recommended defensive actions
- Update Grassroots DICOM (GDCM) to v3.2.2 or later, as recommended by the maintainer.
- Apply the released fixes for downstream products that embed or package the library, including SimpleITK and medInria.
- Treat DICOM files from untrusted sources as potentially malicious until patched versions are deployed.
- Prioritize remediation in any workflow where users open externally supplied imaging files.
Evidence notes
The supplied CISA CSAF advisory (ICSMA-25-345-01) states that the flaw is an out-of-bounds write in GDCM triggered while parsing malformed DICOM files with encapsulated PixelData fragments, and that opening a crafted file can cause a segmentation fault and denial of service. The advisory recommends updating GDCM to v3.2.2 or later and notes that SimpleITK and medInria have released fixes. The CVE and source advisory were both published on 2025-12-11 in the supplied data. No CISA KEV entry is present in the supplied enrichment.
Official resources
-
CVE-2025-11266 CVE record
CVE.org
-
CVE-2025-11266 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in advisory ICSMA-25-345-01 on 2025-12-11, the same date the CVE was published in the supplied timeline. The supplied enrichment does not mark it as a CISA KEV item.