[Debian-med-packaging] Bug#1132042: gdcm: CVE-2026-3650
Salvatore Bonaccorso
carnil at debian.org
Fri Mar 27 14:17:28 GMT 2026
Source: gdcm
Version: 3.0.24-9
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for gdcm.
CVE-2026-3650[0]:
| A memory leak exists in the Grassroots DICOM library (GDCM). The bug
| occurs when parsing malformed DICOM files with non-standard VR types
| in file meta information. The vulnerability leads to vast memory
| allocations and resource depletion, triggering a denial-of-service
| condition. A maliciously crafted file can fill the heap in a single
| read operation without properly releasing it.
Unfortunately the Red Hat bugzilla entry does not contain information
on upstream status.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-3650
https://www.cve.org/CVERecord?id=CVE-2026-3650
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2451988
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Debian-med-packaging
mailing list