Medium severity6.6OSV Advisory· Published Dec 12, 2025· Updated Apr 15, 2026

CVE-2025-11266

Description

An out-of-bounds write vulnerability exists in the Grassroots DICOM library (GDCM). The issue is triggered during parsing of a malformed DICOM file containing encapsulated PixelData fragments (compressed image data stored as multiple fragments). This vulnerability leads to a segmentation fault caused by an out-of-bounds memory access due to unsigned integer underflow in buffer indexing. It is exploitable via file input, simply opening a crafted malicious DICOM file is sufficient to trigger the crash, resulting in a denial-of-service condition.

Affected products

Malaterre/GdcmOSV
Range: v2.0.12, v2.0.16, v2.0.17, …

Patches

2d66f14563fb

https://github.com/malaterre/gdcmvia osv

5829c95c8ac3

https://github.com/malaterre/gdcmvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.429
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000