NEMA: ELFDICOM: Polyglot Malware in DICOM Part-10 File Format (Linux PoC)
CWE-20
Improper Input Validation
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Per NVD: “The 128-byte preamble of a DICOM file that complies with this specification can contain arbitrary executable headers for multiple operating systems, including Portable Executable (PE) files for Windows and Executable and Linkable Format (ELF) files for Linux.” Per Praetorian’s blog: ELFDICOM is Praetorian’s proof-of-concept extending the prior PEDICOM polyglot research (by Markel Picado Ortiz, 2019) to Linux.
Affected Packages / Versions
- Package:
NEMA DICOM Standard 1995 – 2019b(and current implementations) - Latest published version at triage time:
DICOM Standard 2019b - Affected range:
Per NVD: "DICOM Part 10 File Format in the NEMA DICOM Standard 1995 through 2019b and continuing in current implementations." - Patched version:
No standards-level fix; mitigation is implementation-side
Impact
Per Praetorian’s blog: the polyglot capability “becomes particularly dangerous when paired with the DICOM file format” because medical-imaging workflows exchange DICOM files between modalities, archives, and viewers. NVD’s record itself does not enumerate downstream effects.
Severity Rationale
NVD CVSS 7.8 (High): local AV, low complexity, no privileges, but user interaction required (the file must be executed).
Fix
Per NVD: there is no NEMA standards-level fix. Implementers should validate or zero the DICOM preamble and avoid trusting preamble bytes for control-flow or execute decisions.
Disclosure timeline
- TBDReported to NEMA
- TBDNo standards-level fix
- TBDPublic disclosure
Fix Commit(s)
References
Discovered by Praetorian Labs (Linux ELFDICOM PoC). Note: original DICOM-polyglot research was published by Markel Picado Ortiz (PEDICOM, 2019). · Published April 29, 2026