CVE-2025-11266 MEDIUM

CVE-2025-11266: Grassroots DICOM (GDCM) Out-of-bounds Write

Vendor Grassroots
Product DICOM (GDCM)
Weakness CWE-787
Published December 12, 2025
Last update January 20, 2026

CVSS base score

6.8/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An out-of-bounds write vulnerability exists in the Grassroots DICOM library (GDCM). The issue is triggered during parsing of a malformed DICOM file containing encapsulated PixelData fragments (compressed image data stored as multiple fragments). This vulnerability leads to a segmentation fault caused by an out-of-bounds memory access due to unsigned integer underflow in buffer indexing. It is exploitable via file input, simply opening a crafted malicious DICOM file is sufficient to trigger the crash, resulting in a denial-of-service condition.

Key dates

02Disclosure timeline

December 12, 2025 CVE published
January 20, 2026 Record updated