CVE-2025-11266

low-risk

Published 2025-12-12

An out-of-bounds write vulnerability exists in the Grassroots DICOM library (GDCM). The issue is triggered during parsing of a malformed DICOM file containing encapsulated PixelData fragments (compressed image data stored as multiple fragments). This vulnerability leads to a segmentation fault caused by an out-of-bounds memory access due to unsigned integer underflow in buffer indexing. It is exploitable via file input, simply opening a crafted malicious DICOM file is sufficient to trigger the crash, resulting in a denial-of-service condition.

Do I need to act?

0.02% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.6/10 Medium

LOCAL / LOW complexity

References (4)

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsma-25-3...

https://github.com/malaterre/GDCM/releases/tag/v3.2.2

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-345-01

https://github.com/malaterre/GDCM/commit/5829c95c8ac3afa9a3a3413675e948959c28a78...

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal