CVE-2025-11266

Published: Dec 12, 2025

Modified: Jan 20, 2026

PUBLISHED

CVSS v3.1

6.6

MEDIUM

Description

An out-of-bounds write vulnerability exists in the Grassroots DICOM library (GDCM). The issue is triggered during parsing of a malformed DICOM file containing encapsulated PixelData fragments (compressed image data stored as multiple fragments). This vulnerability leads to a segmentation fault caused by an out-of-bounds memory access due to unsigned integer underflow in buffer indexing. It is exploitable via file input, simply opening a crafted malicious DICOM file is sufficient to trigger the crash, resulting in a denial-of-service condition.

Vendor	Product	Versions
Grassroots	DICOM (GDCM)	affected `0 - <= 3.0.24`
NumFocus	SimpleITK	affected `0 - <= 2.5.2`
medInria	medInria	affected `0 - <= 4.0`

Weaknesses (CWE)

CWE-787

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

References

https://github.com/malaterre/GDCM/releases/tag/v3.2.2

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-345-01

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsma-25-345-01.json

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-11266

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References