Researcher Warns: Critical Flaw in Grassroots DICOM Library Poses Risk to Hospital Imaging Systems
A significant cybersecurity vulnerability has been flagged by both the U.S. federal government and security researchers, which could potentially cripple medical imaging systems across hospitals if exploited. This alarming revelation revolves around a high-severity flaw in the Grassroots DICOM library—a widely utilized open-source software crucial for medical imaging products—highlighting the complex nature of healthcare cybersecurity.
The U.S. Cybersecurity Infrastructure and Security Agency (CISA) has issued an advisory warning about this vulnerability, expressing concerns that it could allow malicious actors to launch denial-of-service (DoS) attacks on critical imaging infrastructure. Particularly troubling is that no patch is currently available to remedy the issue, which affects the widely used GDCM version 3.2.2.
At the heart of this issue lies the Digital Imaging and Communications in Medicine (DICOM) standard. Established in the early 1980s, DICOM is an international protocol pivotal for the transmission, storage, and retrieval of medical imaging data. Medical disciplines such as radiology, cardiology, and radiotherapy predominantly rely on this protocol for effective patient care. Himaja Motheram, a security researcher with Censys, elaborated on the extensive history and significance of DICOM, pointing out its longstanding presence in the healthcare sector.
The Grassroots DICOM library was identified as a foundational component of numerous popular imaging tools; many healthcare organizations unknowingly utilize it through other software platforms. This lack of awareness heightens the risk, as the DICOM standard itself has numerous inherent security shortcomings. As Motheram noted, “The format admits executable code, lacks authentication or encryption, and has no integrity checks.” These deficiencies inherently expose healthcare providers to a myriad of cybersecurity threats.
Mykyta Mudryi, co-founder of ARIMLABS and one of the researchers who discovered the vulnerability, detailed the practical implications. If exploited, an attacker could not only crash Picture Archiving and Communication Systems (PACS) servers but could also bring a hospital’s entire imaging archive offline. This disruption can be critical during time-sensitive medical emergencies, severely impeding patient care. Moreover, attackers could clutter network resources by sending numerous malicious files, further crippling system functionality.
Additionally, Axel Wirth, a chief security strategist at medical device cybersecurity firm MedCrypt, emphasized that the root of such vulnerabilities often lies in the complicated software architecture of imaging devices. The unique challenges faced by these systems frequently stem from the legacy technologies they employ, which may be burdened with outdated DICOM protocols that lack modern security features.
The severity of this newly identified vulnerability, cataloged as CVE-2026-3650, has a base score of 7.5, indicating a critical threat to hospital infrastructures. The vulnerability is described as a memory leak; a mere 150-byte malicious file can overload a system, consuming up to 4.2 gigabytes of memory that the system cannot reclaim. Moreover, operators must be cautious, as attackers could exploit the DoS condition as a diversion for more targeted intrusions elsewhere in the hospital network.
Despite the threat posed by the Grassroots DICOM vulnerability, CISA has reported that the developers behind the library have not been responsive to requests aimed at mitigating the exploit. In light of this dire situation, Mudryi has suggested concrete defense strategies for healthcare organizations to implement.
First and foremost, network isolation is imperative. PACS servers and imaging workstations should not be directly accessible either from the Internet or general business networks. CISA advocates for strategically locating these devices behind firewalls to bolster their security.
Secondly, organizations should focus on implementing rigorous DICOM file validation protocols at the network perimeter. Solutions such as proxies or gateways could conduct thorough inspections of incoming DICOM files, identifying any malformed metadata before those files reach PACS servers or workstations. By flagging or rejecting files containing invalid information, organizations provide an additional layer of protection.
Further, resource limits on systems running GDCM-dependent software must be enforced. This can be achieved through operating system-level controls, such as using cgroups on Linux to prevent excessive memory consumption from a single operation—a strategy that could transform a potential system crash into a manageable failure.
Lastly, enhancing incident response plans to include protocols for addressing potential disruptions in imaging systems is also crucial. Organizations should devise fallback procedures that can be utilized when accessing images becomes compromised due to a system outage.
In December, CISA had previously issued a vulnerability advisement concerning the Grassroots DICOM library related to an “out-of-bounds write” flaw. This earlier issue also posed risks of denial-of-service conditions if exploited. Timely updates and transparency about security changes in the library will be vital for hospitals and healthcare providers as they navigate through these ongoing security challenges.
While the world becomes increasingly interconnected through technology, the importance of maintaining robust cybersecurity measures in the healthcare sector cannot be overstated. The revelation of vulnerabilities like those found in the Grassroots DICOM library underscores the need for continuous advancements in both technology and cybersecurity practices to safeguard sensitive medical information and ensure trustworthy patient care.