CVE-2025-48429 in DICOM
Summary
by MITRE • 12/17/2025
An out-of-bounds read vulnerability exists in the RLECodec::DecodeByStreams functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to leaking heap data. An attacker can provide a malicious file to trigger this vulnerability.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/08/2026
The vulnerability identified as CVE-2025-48429 represents a critical out-of-bounds read flaw within the RLECodec::DecodeByStreams function of Grassroot DICOM version 3.024. This issue falls under the category of memory safety vulnerabilities and specifically manifests as a buffer overread condition that can potentially expose sensitive heap data to unauthorized access. The vulnerability is particularly concerning as it occurs during the decoding process of DICOM (Digital Imaging and Communications in Medicine) files, which are widely used in medical imaging systems and healthcare environments where data confidentiality and integrity are paramount.
The technical implementation of this vulnerability stems from inadequate bounds checking within the RLE (Run-Length Encoding) codec's decoding mechanism. When processing specially crafted DICOM files, the DecodeByStreams function fails to properly validate array indices or buffer boundaries before accessing memory locations. This allows an attacker to construct a malicious DICOM file that, when processed by the affected software, causes the application to read data from memory locations beyond the intended buffer boundaries. The heap data leakage can potentially expose sensitive information including cryptographic keys, user credentials, or other confidential medical data stored in adjacent memory regions.
From an operational perspective, this vulnerability presents significant risks to healthcare organizations and medical imaging systems that rely on Grassroot DICOM for processing DICOM files. The attack vector requires minimal privileges as the vulnerability can be triggered through simple file manipulation, making it particularly dangerous in environments where users may inadvertently open malicious files or where automated systems process untrusted DICOM data. The heap data leakage could potentially expose sensitive patient information, system configuration details, or authentication tokens that could be exploited for further attacks. According to CWE-129, this vulnerability aligns with improper validation of length of a buffer, while the ATT&CK framework would categorize this under initial access techniques involving file execution and potentially privilege escalation if the leaked data includes system credentials or keys.
The impact of this vulnerability extends beyond immediate data exposure as it represents a potential gateway for more sophisticated attacks within healthcare environments. Medical imaging systems often contain highly sensitive patient data that is protected by regulations such as HIPAA, making any data leakage from such systems a serious compliance violation. Organizations using Grassroot DICOM 3.024 should prioritize immediate remediation through software updates or patches provided by the vendor. Additionally, network segmentation and file validation measures should be implemented to prevent unauthorized DICOM file processing. The vulnerability demonstrates the critical importance of memory safety in medical imaging software where the stakes are high for both patient privacy and system integrity. Organizations should also consider implementing automated file scanning and validation processes for DICOM files to detect potentially malicious content before processing, while maintaining detailed audit logs of file processing activities for security monitoring purposes.