CVE-2026-3650

High

Published: 26 March 2026

Published

26 March 2026

Modified

30 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0007 21.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3650 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Sourceforge (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 21.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-6 (Resource Availability) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates information inputs such as DICOM files to prevent parsing of malformed files with non-standard VR types that trigger memory leaks.

SI-2 Flaw Remediation good match

prevent

Identifies, reports, and corrects the specific flaw in the GDCM library via timely patching or upgrades to eliminate the memory leak vulnerability.

SC-6 Resource Availability good match

preventdetect

Monitors and enforces limits on system resource usage, including memory, to prevent exhaustion and detect resource depletion from processing crafted DICOM files.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Memory leak in DICOM parser enables remote application exhaustion DoS via single crafted file (exploitation of software vulnerability causing resource depletion and service disruption).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed DICOM files with non-standard VR types in file meta information. The vulnerability leads to vast memory allocations and resource depletion, triggering a denial-of-service condition.…

A maliciously crafted file can fill the heap in a single read operation without properly releasing it.

Deeper analysisAI

CVE-2026-3650 is a memory leak vulnerability in the Grassroots DICOM library (GDCM). The issue arises when parsing malformed DICOM files that include non-standard VR types in the file meta information, resulting in vast memory allocations and resource depletion that triggers a denial-of-service condition. A maliciously crafted file can fill the heap in a single read operation without properly releasing the allocated memory.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating network accessibility, low attack complexity, no required privileges or user interaction, and high impact on availability with no impact on confidentiality or integrity. Remote attackers can exploit it by supplying a specially crafted DICOM file to a vulnerable GDCM instance, leading to memory exhaustion and service disruption.

Advisories including CISA's ICSMA-26-083-01 and the associated CSAF document at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-083-01.json provide guidance on mitigation. Additional details on the GDCM library are available at https://sourceforge.net/projects/gdcm/ and https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-083-01.