DICOM, Pydicom, GDCM, and Orthanc: A technical tour of what really happens in the heap
Cisco Talos presents a technical white paper demonstrating a heap overflow vulnerability in the DICOM image parsing stack, specifically targeting the Orthanc open-source PACS server during file upload. The attack exploits malformed DICOM files to trigger an out-of-bounds write in the heap, leveraging the inherent complexity of the DICOM format and the fact that PACS systems automatically ingest files received over the network — making this a zero-interaction attack surface. The research covers the internals of multiple DICOM parsers (pydicom, GDCM, Orthanc) and maps how malformed data flows through the heap to reach the vulnerable write primitive. This is high-impact research given that hospitals depend on DICOM-based PACS infrastructure and a remotely-triggered memory corruption in an image ingestion path could lead to full server compromise.