CVE-2026-3650 identifies a memory leak vulnerability classified under CWE-401 in the Grassroots DICOM library (GDCM) version 3.2.2. The flaw occurs during the parsing of malformed DICOM files that include non-standard Value Representation (VR) types within the file meta information header. When such a file is processed, the library allocates large amounts of memory on the heap without properly releasing it, leading to a resource exhaustion condition. This uncontrolled memory consumption can cause the affected application or system to become unresponsive or crash, resulting in a denial-of-service (DoS) scenario. The vulnerability is exploitable remotely over the network without requiring any authentication or user interaction, making it highly accessible to attackers. Although no public exploits have been reported yet, the nature of the vulnerability and the critical role of GDCM in medical imaging workflows make it a significant risk. The CVSS 4.0 base score of 8.7 reflects the ease of exploitation and the high impact on system availability. This vulnerability primarily affects healthcare environments where GDCM is used to process DICOM files, which are standard in medical imaging for storing and transmitting information such as X-rays, MRIs, and CT scans. The lack of patch availability at the time of publication necessitates immediate mitigation efforts to prevent potential service disruptions.

The primary impact of CVE-2026-3650 is on the availability of systems that utilize the Grassroots DICOM library for medical image processing. Exploitation can cause significant memory exhaustion leading to application crashes or system unresponsiveness, effectively resulting in denial-of-service conditions. This can disrupt critical healthcare operations, delaying diagnosis and treatment. Since DICOM is widely used in hospitals, clinics, and diagnostic centers globally, the vulnerability poses a risk to patient care continuity. Additionally, resource depletion attacks can increase operational costs due to system downtime and recovery efforts. Although confidentiality and integrity are not directly affected, the disruption of availability in healthcare environments can have severe indirect consequences. The vulnerability’s network-exploitable nature without authentication broadens the attack surface, allowing remote attackers to trigger the condition by sending malicious DICOM files. This could also impact third-party services and cloud platforms offering medical imaging processing if they incorporate the vulnerable GDCM version.

1. Immediate mitigation involves implementing input validation and filtering at the network or application layer to block malformed or suspicious DICOM files containing non-standard VR types before they reach the vulnerable GDCM parser. 2. Employ sandboxing or containerization for applications processing DICOM files to isolate potential crashes and prevent system-wide impact. 3. Monitor memory usage patterns of applications using GDCM to detect abnormal spikes indicative of exploitation attempts. 4. Restrict network access to systems processing DICOM files to trusted sources only, reducing exposure to remote attacks. 5. Engage with the Grassroots project or vendor for updates or patches addressing this vulnerability; apply patches promptly once available. 6. Consider deploying runtime application self-protection (RASP) or memory protection tools that can detect and mitigate memory leaks or excessive allocations dynamically. 7. Conduct regular security assessments and fuzz testing on DICOM processing pipelines to identify and remediate similar vulnerabilities proactively. 8. Maintain robust incident response plans tailored to healthcare environments to minimize downtime in case of exploitation.