PatchSiren cyber security CVE debrief
CVE-2026-3650 Raw CVE debrief
CVE-2026-3650 describes a denial-of-service condition in the Grassroots DICOM (GDCM) library. When the parser processes malformed DICOM files with non-standard VR types in file meta information, it can trigger very large allocations and fail to release memory properly, allowing a malicious file to consume heap space in a single read. The result is resource depletion and service impact rather than code execution, based on the supplied advisory.
- Vendor
- Raw
- Product
- Grassroots Grassroots DICOM (GDCM) 3.2.2
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-24
- Original CVE updated
- 2026-03-24
- Advisory published
- 2026-03-24
- Advisory updated
- 2026-03-24
Who should care
Teams that use Grassroots DICOM (GDCM) 3.2.2 or derivative software to ingest DICOM files, especially where files may come from untrusted or externally supplied sources. Developers, integrators, and operators should pay attention if the parser is reachable in production workflows or clinical imaging pipelines.
Technical summary
The advisory says a memory leak exists in GDCM during parsing of malformed DICOM file meta information with non-standard VR types. The bug can cause vast memory allocations and leave them unreleased, which can fill the heap and trigger a denial-of-service condition. The supplied CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, consistent with high availability impact and no confidentiality or integrity impact stated in the source.
Defensive priority
High for any environment that processes untrusted DICOM content. Prioritize mitigation and update review if GDCM is exposed in network-facing services, automated ingestion pipelines, or other workflows that accept externally provided imaging files.
Recommended defensive actions
- Review whether Grassroots DICOM (GDCM) 3.2.2 is in use anywhere in your software stack, including embedded or bundled copies.
- Check the SourceForge project page referenced by the advisory for update information.
- Treat incoming DICOM files as untrusted input and validate or isolate parsing workflows where possible.
- If you cannot update immediately, reduce exposure by restricting who can submit DICOM files and by monitoring for abnormal memory growth in affected services.
- Track vendor and maintainer communications for a fixed release or additional mitigation guidance.
Evidence notes
The source advisory states that the maintainer has not responded to CISA requests to work on mitigation and directs users to SourceForge for update information. The supplied corpus identifies the issue as a memory leak in GDCM 3.2.2 that can cause heap exhaustion and denial of service when parsing malformed DICOM files with non-standard VR types. No fixed version is provided in the supplied corpus.
Official resources
-
CVE-2026-3650 CVE record
CVE.org
-
CVE-2026-3650 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory and CVE record on 2026-03-24T06:00:00.000Z; use this as the disclosure date for this issue.