CVE-2019-11687
Description
DICOM file format's 128-byte preamble allows embedding executable code, enabling polyglot malware that bypasses security controls in medical environments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DICOM file format's 128-byte preamble allows embedding executable code, enabling polyglot malware that bypasses security controls in medical environments.
Vulnerability
The DICOM Part 10 File Format standard (1995 through 2019b, and continuing in current implementations) defines a 128-byte preamble in its file header that is left unspecified for application-specific use. This design flaw allows arbitrary executable headers, such as Portable Executable (PE) files for Windows and Executable and Linkable Format (ELF) files for Linux, to be embedded within a DICOM file. Specifically, a crafted file can be both a valid DICOM medical image and a standalone executable (a polyglot file). Affected versions include all implementations adhering to the NEMA DICOM Standard from 1995 onwards [1][2].
Exploitation
An attacker must create a polyglot file that combines executable code (e.g., PE or ELF) with a valid DICOM structure. The attacker then delivers this .dcm file to a target system, typically via removable media, email, or shared medical systems, relying on user interaction to execute the file. Since the .dcm extension is associated with imaging applications, and anti-malware configurations at healthcare facilities often ignore medical imagery, the file may bypass standard security controls. Once the file is executed (e.g., double-clicked or processed by image viewers that run embedded code), the malicious payload runs [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary code on the target system. This can lead to system-wide compromise, including unauthorized access to protected health information (PHI), disruption of medical device functionality, and violation of regulatory compliance requirements such as HIPAA and FDA postmarket obligations. The attack can affect both Windows and Linux-based systems used in healthcare, as demonstrated by proof-of-concept payloads PEDICOM (Windows) and ELFDICOM (Linux) [1][2][3].
Mitigation
As of the published date (2019-05-02), no official patch or update to the DICOM standard to address this design flaw has been released. The issue is intrinsic to the specification. Mitigations rely on administrative and technical controls: restrict execution of .dcm files, deploy anti-malware that inspects DICOM files, monitor for unusual file execution patterns, and implement strict access controls on systems processing medical images. Healthcare organizations should also follow vendor-specific guidance for DICOM-compliant devices [1][2].
- ELFDICOM: PoC Malware Polyglot Exploiting Linux-Based Medical Devices
- pedicom/doc/Attacking_Digital_Imaging_and_Communication_in_Medicine_(DICOM)_file_format_standard_-_Markel_Picado_Ortiz_(d00rt).pdf at master · d00rt/pedicom
- GitHub - d00rt/pedicom: Documentation and proofs of concept on the polyglot file PEDICOM (PE executable + DICOM)
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- NEMA DICOM Standard/DICOM Part 10 File Formatdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The DICOM Part 10 specification leaves the 128-byte Preamble unspecified, enabling creation of polyglot files that are simultaneously valid DICOM images and executable binaries."
Attack vector
An attacker crafts a polyglot file that is simultaneously a valid DICOM image and a valid executable. The 128-byte Preamble stores executable headers (e.g., DOS header for PE, shebang for shell scripts, or ELF header). When the file is opened with a DICOM viewer it displays normally, but when executed (e.g., via ./file.dcm with the executable bit set, or renamed to .exe) the embedded payload runs [ref_id=1]. The attacker must convince a user or system to execute the file. DICOM files are routinely shared between medical devices and hospital systems, often via removable media, and anti-malware configurations at healthcare facilities frequently ignore medical imagery [ref_id=1].
Affected code
The vulnerability is in the DICOM Part 10 File Format specification (NEMA DICOM Standard 1995 through 2019b). The 128-byte Preamble before the "DICM" marker is left unspecified, allowing arbitrary content. This design flaw enables polyglot files that are valid DICOM images and also valid executables (PE, ELF, or shell scripts) [ref_id=1].
What the fix does
No patch is available because this is a design flaw in the DICOM Part 10 File Format specification itself, not a bug in a specific implementation [ref_id=1]. The advisory recommends that healthcare organizations implement compensating controls: configure anti-malware to scan DICOM files, restrict execution permissions on .dcm files, and educate users about the risks of polyglot files. The standard body (NEMA) has not changed the specification to restrict the Preamble content [ref_id=1].
Preconditions
- inputThe attacker must craft a polyglot DICOM/executable file
- inputA user or automated process must execute the malicious file (e.g., via ./file.dcm or renaming to .exe)
- configAnti-malware must not be configured to scan DICOM files (common in healthcare)
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- labs.cylera.com/2019.04.16/pe-dicom-medical-malwarenvdExploitTechnical DescriptionThird Party Advisory
- www.securityfocus.com/bid/108730nvd
- github.com/d00rt/pedicom/blob/master/doc/Attacking_Digital_Imaging_and_Communication_in_Medicine_%28DICOM%29_file_format_standard_-_Markel_Picado_Ortiz_%28d00rt%29.pdfnvd
- www.praetorian.com/blog/elfdicom-poc-malware-polyglot-exploiting-linux-based-medical-devices/nvd
News mentions
0No linked articles in our index yet.