Bug 2451988 (CVE-2026-3650)

Summary: CVE-2026-3650 gdcm: GDCM: Denial of Service via malformed DICOM files
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Grassroots DICOM library (GDCM). This memory leak vulnerability occurs when the library processes maliciously crafted DICOM files containing non-standard value representation (VR) types in their file meta-information. A remote attacker can exploit this by providing such a file, leading to vast memory allocations and resource depletion. This can trigger a denial-of-service condition, making the affected system unavailable.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2452009, 2452010, 2452012, 2452013    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-26 22:02:25 UTC 
A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed DICOM files with non-standard VR types in file meta information. The vulnerability leads to vast memory allocations and resource depletion, triggering a denial-of-service condition. A maliciously crafted file can fill the heap in a single read operation without properly releasing it.