Back to Intelligence

How to Defend Against CVE-2026-3650: Grassroots DICOM Memory Leak Vulnerability

SA
Security Arsenal Team
March 26, 2026
4 min read

Introduction

Healthcare organizations rely heavily on the seamless availability of medical imaging systems. A critical vulnerability recently identified in the Grassroots DICOM (GDCM) library poses a significant threat to this availability. Tracked as CVE-2026-3650, this security issue could allow an attacker to crash medical imaging applications simply by sending a specially crafted file.

For defenders, understanding the mechanics of this vulnerability is essential to preventing Denial-of-Service (DoS) conditions that could disrupt patient care. This post breaks down the vulnerability and provides actionable steps to identify vulnerable systems and remediate the risk.

Technical Analysis

CVE ID: CVE-2026-3650 CVSS v3 Score: 7.5 (High) Affected Vendor: Grassroots DICOM Affected Product: Grassroots DICOM (GDCM) Library Affected Version: 3.2.2

The Vulnerability: The vulnerability is a memory leak that occurs within the GDCM library. Specifically, the bug is triggered when the library parses malformed DICOM files that contain non-standard Value Representation (VR) types in their file meta information.

Impact: When an application using the vulnerable version of GDCM processes a malicious file, it fails to release memory after it is no longer needed. Over time, or with rapid repeated processing, this memory exhaustion leads to a crash or a complete halt of the application—a Denial-of-Service (DoS) condition. Given the Healthcare and Public Health sector's reliance on DICOM for imaging (X-rays, MRIs, CTs), this vulnerability creates a high risk for operational disruption.

Defensive Monitoring and Detection

Because GDCM is a library embedded within larger medical software applications (PACS, viewers, etc.), it cannot be detected via a simple network port scan. Defenders must scan the file systems of servers and workstations to identify the presence of the vulnerable DLL or shared object.

The following PowerShell script helps security teams inventory their Windows environments to detect if the vulnerable gdcm.dll version 3.2.2 is present.

PowerShell Scanner for GDCM 3.2.2

Script / Code
<#
.SYNOPSIS
    Scans for presence of GDCM gdcm.dll version 3.2.2 (CVE-2026-3650).
.DESCRIPTION
    Recursively searches common program directories for gdcm.dll and checks version.
#>

$VulnerableVersion = "3.2.2"
$SearchPaths = @("C:\Program Files", "C:\Program Files (x86)", "C:\")
$Results = @()

Write-Host "[+] Starting scan for GDCM Library vulnerabilities..."

foreach ($Path in $SearchPaths) {
    if (Test-Path $Path) {
        Write-Host "[+] Scanning $Path..."
        try {
            $Files = Get-ChildItem -Path $Path -Filter "gdcm.dll" -Recurse -ErrorAction SilentlyContinue
            foreach ($File in $Files) {
                try {
                    $VersionInfo = $File.VersionInfo
                    $FileVersion = $VersionInfo.FileVersion
                    
                    if ($FileVersion -eq $VulnerableVersion) {
                        $Results += [PSCustomObject]@{
                            ComputerName   = $env:COMPUTERNAME
                            FilePath       = $File.FullName
                            FileVersion    = $FileVersion
                            Status         = "VULNERABLE"
                        }
                    }
                } catch {
                    # Ignore files where version info cannot be read
                }
            }
        } catch {
            Write-Host "[-] Error accessing $Path"
        }
    }
}

if ($Results.Count -gt 0) {
    Write-Host "[!] ALERT: Vulnerable GDCM versions found!" -ForegroundColor Red
    $Results | Format-Table -AutoSize
} else {
    Write-Host "[+] No vulnerable GDCM 3.2.2 instances found." -ForegroundColor Green
}

Remediation

To protect your organization from CVE-2026-3650, IT and security teams should immediately undertake the following steps:

  1. Update GDCM Library: The primary remediation is to update the Grassroots DICOM library to the latest version provided by the vendor. If your organization utilizes third-party medical software that relies on GDCM, contact the software vendor immediately to obtain a patch that includes the updated, non-vulnerable library.

  2. Verify Software Dependencies: Work with your biomedical engineering and IT teams to inventory all software that handles DICOM images. Ensure that every application utilizing the GDCM library is verified for the patch status of its underlying dependencies.

  3. Input Validation and Segmentation:

    • Network Segmentation: Ensure that DICOM traffic and medical imaging workstations are isolated from the general internet and untrusted networks to reduce the attack surface.
    • File Sanitization: Implement security controls that validate DICOM file headers and structure before they are processed by internal imaging libraries. Dropping malformed files at the network perimeter can prevent the exploit from reaching the vulnerable parser.

  4. Monitor for DoS: Until patches are applied, increase monitoring on critical imaging servers for signs of memory exhaustion or unexpected application crashes, which may indicate an active exploitation attempt.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

socthreat-intelmanaged-socgdcmcve-2026-3650medical-imagingpatch-managementhealthcare-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action