EXECUTIVE SUMMARY:
A medium-severity out-of-bounds write vulnerability has been identified in the Grassroots DICOM open-source library that can be exploited through a specially crafted malicious DICOM file, leading to an application crash and denial-of-service condition when the file is opened. The flaw occurs during the parsing of encapsulated PixelData fragments and is caused by an unsigned integer underflow in buffer indexing, resulting in out-of-bounds memory access and a segmentation fault. The vulnerability is tracked as CVE-2025-11266 and carries a CVSS base score of 6.6, reflecting a low-complexity, file-based attack vector that does not require authentication or user interaction beyond opening the file.
RECOMMENDATION:
We strongly recommend you update Grassroots DICOM to version 3.2.2 or later.
REFERENCES:
The following reports contain further technical details:
https://www.hipaajournal.com/grassroots-dicom-vulnerability-patched/