Back to Intelligence

How to Protect Healthcare Systems Against the GDCM Memory Leak (CVE-2026-3650)

SA
Security Arsenal Team
April 4, 2026
5 min read

How to Protect Healthcare Systems Against the GDCM Memory Leak (CVE-2026-3650)

Introduction

In the healthcare sector, the availability of medical imaging systems is paramount. A recent vulnerability identified in Grassroots DICOM (GDCM), a widely used library for handling DICOM medical imaging files, poses a significant risk to system availability. CVE-2026-3650 is a memory leak vulnerability that allows an attacker to trigger a Denial-of-Service (DoS) condition by simply sending a specially crafted file to a vulnerable system. For defenders, this highlights the critical need for supply chain visibility in medical software and robust input validation strategies to ensure that a single malformed file cannot disrupt critical patient care operations.

Technical Analysis

CVE-2026-3650 is classified as a "Missing Release of Memory after Effective Lifetime" (CWE-401) vulnerability affecting Grassroots DICOM (GDCM) version 3.2.2.

  • Mechanism: The vulnerability resides in the library's file parsing logic. When GDCM parses a DICOM file containing non-standard VR (Value Representation) types in the file meta information header, the library fails to properly allocate and free memory.
  • Impact: An attacker can exploit this by sending a maliciously crafted DICOM file to a service or application utilizing the vulnerable GDCM library. Repeated parsing or handling of this file leads to continuous memory consumption, eventually exhausting system resources and causing the application to crash or hang—a classic DoS scenario.
  • Severity: With a CVSS v3 score of 7.5 (High), this vulnerability is particularly concerning for the Healthcare and Public Health critical infrastructure sector, where downtime can directly affect patient outcomes.

Defensive Monitoring

Detecting a memory leak typically requires performance monitoring, but defenders can hunt for the precursors or the aftermath of exploitation. The following detection strategies focus on identifying the execution of GDCM binaries, monitoring for the processing of suspicious DICOM files, and verifying patch status.

SIGMA Rules

YAML
---
title: Potential GDCM Executable Execution
id: 8a4b2c1d-9e6f-4a3b-8b5c-1d2e3f4a5b6c
status: experimental
description: Detects the execution of known Grassroots DICOM (GDCM) command-line tools, which may be vulnerable to CVE-2026-3650. Monitoring these processes helps identify endpoints where the library is actively in use.
references:
  - https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-083-01
author: Security Arsenal
date: 2026/03/29
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains:
      - 'gdcm2dcm.exe'
      - 'gdcmdump.exe'
      - 'gdcmraw.exe'
      - 'medcon.exe'
  condition: selection
falsepositives:
  - Legitimate use of DICOM conversion tools by administrators or radiology staff
level: low
---
title: Suspicious DICOM File Creation in User Directories
id: b1c2d3e4-5f6a-4b3c-8d9e-0f1a2b3c4d5e
status: experimental
description: Detects the creation of DICOM files (extensions .dcm, .dicom, .dicm) in user directories or temporary folders. Attackers may drop malformed files in these locations to trigger parsing vulnerabilities.
references:
  - https://attack.mitre.org/techniques/T1204/
author: Security Arsenal
date: 2026/03/29
tags:
  - attack.execution
  - attack.t1204
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\AppData\Local\Temp'
      - '\Downloads'
      - '\Desktop'
    TargetFilename|endswith:
      - '.dcm'
      - '.dicom'
      - '.dicm'
  condition: selection
falsepositives:
  - Legitimate download or export of medical images by staff
level: medium

KQL Queries

The following KQL queries can be used in Microsoft Sentinel or Microsoft Defender for Endpoint to hunt for vulnerable versions and suspicious activity.

KQL — Microsoft Sentinel / Defender
// Hunt for process creation events involving GDCM binaries
DeviceProcessEvents  
| where FolderPath endswith @"\gdcm2dcm.exe" 
   or FolderPath endswith @"\gdcmdump.exe" 
   or FolderPath endswith @"\gdcmraw.exe"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| order by Timestamp desc

// Identify devices with potential GDCM installations via file creation
DeviceFileEvents
| where FileName endswith ".dll" 
   and SHA256 in (
       // Hashes would need to be populated for specific vulnerable versions
       // This is a placeholder structure for library detection
   ) 
| summarize count() by DeviceName, FolderPath

Velociraptor VQL

These Velociraptor hunt queries help identify vulnerable versions of the GDCM library on disk and running processes that might be loading it.

VQL — Velociraptor
-- Hunt for specific vulnerable GDCM library files on disk
SELECT FullPath, Size, Mtime
FROM glob(globs='C:\**\gdcm.dll')
WHERE parse_string(filename=FullPath, regex='(?i)gdcm\.dll') 
   -- Note: Actual version check requires reading PE version resources

-- Hunt for processes loading GDCM
SELECT Name, Pid, Exe, CommandLine
FROM pslist()
WHERE foreach(row=process_memory_maps(pid=Pid), 
   query={ 
       SELECT * FROM scope() WHERE Name =~ "gdcm.dll" 
   })

PowerShell Verification Script

Use this script to scan for the presence of GDCM 3.2.2 on Windows endpoints.

PowerShell
# Check for GDCM 3.2.2 installation
Write-Host "Scanning for GDCM library versions..."

$paths = @(
    "C:\Program Files",
    "C:\Program Files (x86)",
    "C:\$Recycle.Bin",
    "C:\Users"
)

$foundFiles = Get-ChildItem -Path $paths -Recurse -ErrorAction SilentlyContinue -Filter "gdcm.dll" | 
    Select-Object FullName, @{Name="ProductVersion"; Expression={(Get-Item $_.FullName).VersionInfo.ProductVersion}}

foreach ($file in $foundFiles) {
    if ($file.ProductVersion -eq "3.2.2") {
        Write-Host "[ALERT] Vulnerable version found at: $($file.FullName)" -ForegroundColor Red
    } elseif ($file.ProductVersion) {
        Write-Host "[INFO] Version $($file.ProductVersion) found at: $($file.FullName)" -ForegroundColor Green
    }
}

Remediation

To protect your organization against CVE-2026-3650, security and IT teams should take the following immediate actions:

  1. Patch and Update: The primary remediation is to update the Grassroots DICOM (GDCM) library to the latest version provided by the vendor. If your organization uses medical imaging software that incorporates GDCM, contact the software vendor immediately to obtain a patched version that integrates the fixed library.
  2. Network Segmentation: Ensure that medical imaging devices (PACS, modalities, workstations) are isolated within a secure VLAN. Restrict the ability to upload files to these systems to trusted internal workstations only, preventing external actors from delivering crafted files.
  3. Input Validation: Implement secure gateways or middleware that validate DICOM files before they reach critical parsing applications. Ensure that files adhere strictly to the DICOM standard and reject those with non-standard VR types or malformed headers.
  4. Asset Inventory: Conduct a thorough scan of your environment to identify all software utilizing the GDCM library. This includes not just standalone tools but third-party medical applications that may bundle the library.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcarehipaaransomwaredicomgdcmcvevulnerability-managementmemory-leak

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action