Skip to content
.ca
sign in
4 minhigh

DICOM, Pydicom, GDCM, and Orthanc: A technical tour of what really happens in the heap

Security research highlights a heap overflow vulnerability within DICOM parsing, specifically targeting Orthanc servers during image uploads. By exploiting the complex DICOM file format, attackers can trigger an out-of-bounds write, posing a significant risk to hospital PACS systems that automatically ingest and decode these files.

Conf:highAnalyzed:2026-05-28Google

Authors: Emmanuel Tacheau

Heap OverflowVulnerability ResearchOrthancDICOM

Source:Cisco Talos

Detection / HunterGoogle

What Happened

Security researchers have detailed a vulnerability in how medical imaging systems process DICOM files. By uploading a specially crafted, malicious image file, an attacker can cause a memory error (heap overflow) in Orthanc servers, a type of software used by hospitals. This matters because hospital systems often automatically process these files, making them an attractive target for attackers to potentially gain unauthorized access or disrupt services. Organizations using these medical imaging systems should ensure their software is up to date and monitor for unusual upload activity or system crashes.

Key Takeaways

  • DICOM parsing represents a critical attack surface due to the automatic ingestion of files by hospital PACS systems.
  • A heap overflow vulnerability can be triggered via specially crafted, malformed DICOM files.
  • Orthanc servers can be targeted during the image upload process, leading to an out-of-bounds write.

Affected Systems

  • Orthanc servers
  • DICOM-based PACS systems
  • Systems utilizing Pydicom and GDCM libraries

Attack Chain

An attacker crafts a malformed DICOM file designed to exploit parsing vulnerabilities. This file is uploaded to a vulnerable Orthanc server or DICOM-based PACS system over the network. During the automatic ingestion and decoding process, the malformed data triggers a heap overflow, resulting in an out-of-bounds write that could potentially lead to code execution or denial of service.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules are provided in the article excerpt.

Detection Engineering Assessment

EDR Visibility: Low — EDRs typically do not inspect the internal parsing logic or heap state of specialized medical imaging applications like Orthanc unless a crash occurs or subsequent malicious shellcode executes. Network Visibility: Medium — Network sensors might detect anomalous DICOM traffic or malformed packet structures if specific protocol decoders are in place, but complex application-layer payloads are difficult to inspect without specialized tooling. Detection Difficulty: Hard — Detecting a heap overflow during application-layer parsing requires deep packet inspection of DICOM protocols or memory-level monitoring of the Orthanc process.

Required Log Sources

  • Application Logs
  • Crash Dumps
  • System Event Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unexpected crashes, segmentation faults, or restart events in the Orthanc server process, which may indicate a failed heap overflow exploitation attempt.Application event logs, Windows Event Log (Application crash events), or Linux syslog/journalctlExploitationLow to Medium (crashes could be due to benign malformed files or software bugs, but always warrant investigation in critical healthcare systems)

Control Gaps

  • Deep packet inspection for DICOM protocols
  • Memory-safe parsing libraries in legacy medical systems

Key Behavioral Indicators

  • Orthanc process crashes (e.g., segfaults)
  • Unexpected child processes spawned by the Orthanc server daemon

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Review Orthanc server logs for unexpected crashes or anomalous upload patterns.

Infrastructure Hardening

  • Consider implementing strict network segmentation to isolate PACS and Orthanc servers from untrusted networks.
  • Evaluate deploying network intrusion prevention systems (IPS) with DICOM protocol support if available in your environment.

User Protection

  • Ensure that Orthanc and related DICOM processing software (such as Pydicom and GDCM) are updated to the latest patched versions where supported by your tooling.

Security Awareness

  • Educate healthcare IT staff on the risks of automatically ingesting untrusted medical imaging files from external sources.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application

Related