Home

Description

An out-of-bounds write vulnerability exists in the Grassroots DICOM library (GDCM). The issue is triggered during parsing of a malformed DICOM file containing encapsulated PixelData fragments (compressed image data stored as multiple fragments). This vulnerability leads to a segmentation fault caused by an out-of-bounds memory access due to unsigned integer underflow in buffer indexing. It is exploitable via file input, simply opening a crafted malicious DICOM file is sufficient to trigger the crash, resulting in a denial-of-service condition.

PUBLISHED Reserved 2025-10-03 | Published 2025-12-12 | Updated 2025-12-15 | Assigner icscert




MEDIUM: 6.8CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

MEDIUM: 6.6CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Problem types

CWE-787 Out-of-bounds Write

Product status

Default status
unaffected

Any version
affected

Default status
unaffected

Any version
affected

Default status
unaffected

Any version
affected

Credits

Morgen Malinoski reported this vulnerability to CISA. finder

References

github.com/malaterre/GDCM/releases/tag/v3.2.2

www.cisa.gov/...vents/ics-medical-advisories/icsma-25-345-01

github.com/.../csaf_files/OT/white/2025/icsma-25-345-01.json

cve.org (CVE-2025-11266)

nvd.nist.gov (CVE-2025-11266)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.