CISA says the vulnerability can be triggered by opening a specially crafted medical image file.
A medium-severity vulnerability has been identified and patched in the Grassroots DICOM open source library, which is widely used to process DICOM medical image files. According to the U.S. Cybersecurity and Infrastructure Security Agency, the flaw allows an attacker to craft a malformed DICOM file that can cause an application crash when opened. The issue is tracked as CVE 2025 11266 and affects how the library parses encapsulated PixelData fragments, leading to out-of-bounds memory access and a denial of service condition.
The vulnerability stems from an unsigned integer underflow during buffer indexing, which can result in a segmentation fault during file parsing. Exploitation does not require authentication or network access, as the issue is triggered through local file input when a malicious DICOM file is opened. CISA reported that the flaw was identified by cybersecurity analyst Morgen Malinoski and has been fixed in Grassroots DICOM version 3.2.2 and later. Related projects that rely on the affected library, including SimpleITK and medInria, have also released updates to address the issue. Organizations that process medical imaging files using affected components are advised to review dependencies and apply patches promptly.
CISA stated that users should update to the latest available version of the Grassroots DICOM library to prevent exploitation. The agency also advised healthcare organizations and imaging system operators to apply standard defensive measures, including placing systems behind firewalls, isolating them from broader business networks, and limiting external access. Where remote access is required, CISA recommends using secure connections such as updated virtual private networks. These steps are intended to reduce exposure while patches are deployed across affected environments.
Medical imaging software relies heavily on shared, open source components, which means a single flaw can affect many downstream systems at once. Regulators have repeatedly warned that cybersecurity risks in medical devices are not limited to network attacks and data theft, but also include weaknesses in how devices and applications handle routine clinical files. The U.S. Food and Drug Administration has said cybersecurity controls are necessary to keep devices “safe and effective” and must be maintained throughout the device lifecycle. Vulnerabilities like this one show why healthcare organizations are expected to track third-party dependencies closely and apply updates promptly, even when issues appear limited to availability rather than data exposure.
It is an open source library used by imaging applications to read, write, and process DICOM medical image files.
No. The flaw can cause an application crash, but does not allow data theft or remote code execution based on current analysis.
It is triggered when a user opens a specially crafted DICOM file that contains malformed PixelData fragments.
Organizations using Grassroots DICOM directly or through dependent projects such as imaging viewers or analysis tools should update affected components.
Even without data exposure, application crashes can interrupt imaging workflows, delay diagnosis, and impact patient care if systems become unavailable.