CISA warns flaw could crash medical imaging systems

CISA has issued a warning about a high-severity vulnerability in the open-source Grassroots DICOM (GDCM) library, a widely used component in medical imaging software. The flaw, tracked as CVE-2026-3650, could allow attackers to crash hospital imaging systems and disrupt diagnostic workflows using specially crafted DICOM image files.

What happened

According to BankInfo Security, the vulnerability affects GDCM version 3.2.2, a component that is widely used in healthcare imaging platforms and diagnostic tools. Researchers found that attackers could exploit the flaw remotely without needing access credentials.

If exploited, the issue could overwhelm system resources and disrupt the availability of imaging services. This may affect systems used to store, review, or share medical images within hospitals and healthcare organizations.

Going deeper

The risk extends beyond the GDCM library itself because the software is embedded in numerous healthcare and research imaging platforms. Researchers noted that many organizations may not even realize they are using GDCM because it is included as a dependency in other tools and frameworks.

The library is integrated into major medical imaging ecosystems such as the Insight Toolkit (ITK), 3D Slicer, SimpleITK, and the Medical Imaging Interaction Toolkit. It is also used in Orthanc through an official plugin for handling compressed imaging formats. At the time of the advisory, CISA noted that no official fix had been released and that the software maintainer had not responded to coordination efforts.

What was said

According to the BankInfo Security article, Mykyta Mudryi, co-founder of ARIMLABS, warned that attackers could use the vulnerability to “crash PACS servers - taking an entire hospital's imaging archive offline, freeze diagnostic workstations mid-read - potentially during time-sensitive emergency imaging, or exhaust server memory across a network by sending multiple malicious files.”

Mudryi also cautioned that cybercriminals could use these disruptions as a “smokescreen,” distracting IT and security teams while launching additional attacks elsewhere in a hospital network.

Himaja Motheram, a researcher at Censys, added that the issue is particularly concerning because GDCM is widely integrated into healthcare, and some organizations may not realize that they use the platform. As she states, “It’s been around forever, since the early 2000s and has significant GitHub activity and academic citations… Many organizations probably use it through another tool and don’t even realize it.” She also added that “The format admits executable code, no authentication or encryption, no integrity checking of the file contents by default… It was designed for maximum reliability and interoperability in clinical environments, not maximum data security.”

Additionally, Axel Wirth, chief security strategist at MedCrypt, said imaging systems are difficult to secure because they often have “long life cycles,” thus contributing “to the legacy inventory problem at hospitals.”

Why it matters

The CISA indicates that outdated and neglected technologies can quietly introduce cybersecurity and operational risks.

As Paubox noted in a report, “Based on new data from 150 healthcare IT leaders, this report pulls back the curtain on an overlooked risk in healthcare technology—legacy email systems. These systems are quietly undermining HIPAA compliance, straining operational efficiency, and exposing protected health information to cybercriminals.”

The same concern applies to legacy and embedded clinical technologies such as imaging systems. Many healthcare organizations rely on older software components and third-party tools that operate behind the scenes but remain deeply connected to patient care workflows.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

How could this affect patient care?

If exploited, the vulnerability could slow down or temporarily disable imaging systems. This may delay diagnoses, interrupt radiology workflows, and create backlogs in clinical decision-making.

Is patient data at risk?

The primary risk highlighted is system disruption rather than direct data theft. However, any system downtime can indirectly affect access to patient records and imaging results needed for care decisions.