CVE-2025-53618
published 2025-12-16CVE-2025-53618: An out-of-bounds read vulnerability exists in the JPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead…
PriorityP347critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
0.21%
11.7th percentile
An out-of-bounds read vulnerability exists in the JPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability.The function `grayscale_convert` is called based of the value of the malicious DICOM file specifying the intended interpretation of the image pixel data
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gdcm | — | — |
| grassroot_dicom | grassroot_dicom | — | — |
| malaterre | grassroots_dicom | — | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
osv9.1CRITICAL
vendor_debian7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r46x-x9h4-p52r: An out-of-bounds read vulnerability exists in the JPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3
ghsa_unreviewed·2025-12-17
CVE-2025-53618 [HIGH] CWE-119 GHSA-r46x-x9h4-p52r: An out-of-bounds read vulnerability exists in the JPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3
An out-of-bounds read vulnerability exists in the JPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability.The function `grayscale_convert` is called based of the value of the malicious DICOM file specifying the intended interpretation of the image pixel data
OSV
CVE-2025-53618: An out-of-bounds read vulnerability exists in the JPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3
osv·2025-12-16·CVSS 9.1
CVE-2025-53618 [CRITICAL] CVE-2025-53618: An out-of-bounds read vulnerability exists in the JPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3
An out-of-bounds read vulnerability exists in the JPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability.The function `grayscale_convert` is called based of the value of the malicious DICOM file specifying the intended interpretation of the image pixel data
Debian
CVE-2025-53618: gdcm - An out-of-bounds read vulnerability exists in the JPEGBITSCodec::InternalCode fu...
vendor_debian·2025·CVSS 7.4
CVE-2025-53618 [HIGH] CVE-2025-53618: gdcm - An out-of-bounds read vulnerability exists in the JPEGBITSCodec::InternalCode fu...
An out-of-bounds read vulnerability exists in the JPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability.The function `grayscale_convert` is called based of the value of the malicious DICOM file specifying the intended interpretation of the image pixel data
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
Talos
Libbiosig, Grassroot DiCoM, Smallstep step-ca vulnerabilities
blogs_talos·2025-12-17·CVSS 7.4
[HIGH] Libbiosig, Grassroot DiCoM, Smallstep step-ca vulnerabilities
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed vulnerabilities in Biosig Project Libbiosig, Grassroot DiCoM, and Smallstep step-ca.
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy, except for Grassroot, as the DiCoM vulnerabilities are zero-days.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
## Libbiosig vulnerability
Discovered by Mark Bereza of Cisco Talos.
BioSig is an open source software library for biomedical signal processing. The BioSig Project seeks to encourage resear
Talos
Libbiosig, Grassroot DiCoM, Smallstep step-ca vulnerabilities
blogs_talos·2025-12-17·CVSS 7.4
[HIGH] Libbiosig, Grassroot DiCoM, Smallstep step-ca vulnerabilities
## Libbiosig, Grassroot DiCoM, Smallstep step-ca vulnerabilities
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed vulnerabilities in Biosig Project Libbiosig, Grassroot DiCoM, and Smallstep step-ca.
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy , except for Grassroot, as the DiCoM vulnerabilities are zero-days.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org , and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website .
## Libbiosig vulnerability
Discovered by Mark Bereza of Cisco Talos.
BioSig is an open source software library for biome
Wiz
CVE-2025-53618 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.4
CVE-2025-53618 [HIGH] CVE-2025-53618 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-53618 :
Linux Debian vulnerability analysis and mitigation
grayscale_convert
Source : NVD
## 9.1
Score
Published December 16, 2025
Severity CRITICAL
CNA Score 7.4
Affected Technologies
Linux Debian
Echo
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gdcm
Sources
NVD
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Dec 18, 2025
Debian 14 Severity CRITICAL No Fix Added at: Dec 18, 2025
Echo Severity CRITICAL No Fix Added at: Dec 18, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related L
2025-12-16
Published