[From nobody Fri Jun 26 17:41:07 2026
Received: (at submit) by bugs.debian.org; 27 Mar 2026 14:17:31 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.9 required=4.0 tests=BAYES_00, FOURLA,
 FROMDEVELOPER, 
 NO_RELAYS,XMAILER_REPORTBUG autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 12; hammy, 146; neutral, 41; spammy,
 1. spammytokens:0.942-+--H*r:bugs.debian.org
 hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc,
 0.000-+--X-Debbugs-Cc, 0.000-+--HTo:N*Debian, 0.000-+--H*Ad:N*Bug
Return-path: &lt;carnil@debian.org&gt;
Received: via submission by buxtehude.debian.org with esmtp (Exim 4.96)
 (envelope-from &lt;carnil@debian.org&gt;) id 1w680A-007akg-0N
 for submit@bugs.debian.org; Fri, 27 Mar 2026 14:17:31 +0000
Content-Type: text/plain; charset=&quot;us-ascii&quot;
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Salvatore Bonaccorso &lt;carnil@debian.org&gt;
To: Debian Bug Tracking System &lt;submit@bugs.debian.org&gt;
Subject: gdcm: CVE-2026-3650
Message-ID: &lt;177462104840.822478.12190780385066655621.reportbug@eldamar.lan&gt;
X-Mailer: reportbug 13.2.0
Date: Fri, 27 Mar 2026 15:17:28 +0100
Delivered-To: submit@bugs.debian.org

Source: gdcm
Version: 3.0.24-9
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team &lt;team@security.debian.org&gt;

Hi,

The following vulnerability was published for gdcm.

CVE-2026-3650[0]:
| A memory leak exists in the Grassroots DICOM library (GDCM). The bug
| occurs when parsing malformed DICOM files with non-standard VR types
| in file meta information. The vulnerability leads to vast memory
| allocations and resource depletion, triggering a denial-of-service
| condition. A maliciously crafted file can fill the heap in a single
| read operation without properly releasing it.

Unfortunately the Red Hat bugzilla entry does not contain information
on upstream status.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities &amp; Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-3650
    https://www.cve.org/CVERecord?id=CVE-2026-3650
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2451988

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
]