The Grassroots DICOM (GDCM) open source library of DICOM healthcare image files is found to have a medium-severity vulnerability. An attacker can exploit the vulnerability in a low complexity attack enabling him to create a malicious DICOM file. In case the file is opened, the application could crash and cause a denial-of-service problem. HIPAA-covered entities or their business associates can use this C++ library to manage Protected Health Information (PHI).
The out-of-bounds write vulnerability found in the GDCM library is activated while parsing a malformed DICOM file that contains PixelData pieces. The vulnerability causes prohibited memory access, resulting in a segmentation problem. The vulnerability is because of an unapproved integer underflow in buffer indexing. It can be exploited through file input, just needing a specially developed malicious DICOM file, which when opened will result in a crash.
The vulnerability is monitored as CVE-2025-11266 and has an assigned CVSS v3.1 base rating of 6.6 and a CVSS v4 rating of 6.8. Cybersecurity analyst Morgen Malinoski identified the vulnerability and reported it to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The vulnerability has been resolved, but users need to make sure to upgrade to version 3.2.2 or newer versions of Grassroots DICOM, that is available from the main GitHub database. According to CISA, SimpleITK and medInria have published fixes for the vulnerability.
As a safety measure to avoid vulnerability exploitation, CISA advises having control system gadgets and/or putting the systems behind firewalls and separating them from business systems. Also, make sure that they can’t be viewed from the Internet. In case remote access is not deactivated, safe ways ought to be utilized to connect, for example, using a virtual private network (VPN), making sure the VPN is using the most recent software version.
Image credit: MQ-Illustrations, AdobeStock / ©Netsec
