A Flaw in Android's Medical Image Decoder Could Leak Your Phone's Private Memory Through a Single Scan File

A single medical scan file — the kind your doctor emails after an MRI or CT appointment — could silently hand an attacker a window into your Android phone's private memory, exposing passwords, session tokens, and personal data you never intended to share.

What's happening

Researchers have disclosed CVE-2026-5445, a critical-severity vulnerability scoring 9.1 out of 10 on the industry-standard severity scale. The flaw lives inside Android's built-in decoder for DICOM images — the file format used universally by hospitals, radiology clinics, and telehealth platforms to store and share medical imaging data. Any Android device that processes a DICOM file containing palette-colored images is potentially exposed. That covers hundreds of millions of active Android phones and tablets worldwide, including devices used by patients, doctors, nurses, and medical administrators who routinely receive scan files through email, messaging apps, and dedicated health portals.

The real-world stakes are immediate and personal. Telehealth adoption surged after 2020 and has never fully retreated — millions of patients now receive radiology reports and imaging files directly on their personal phones. Healthcare workers check scan results on mobile devices between patient consultations. A single malicious DICOM file, delivered through any of those ordinary channels, is enough to trigger the vulnerability without the victim doing anything beyond opening an attachment they have every reason to trust.

How the attack works

Think of a palette-colored image like a paint-by-numbers canvas. Instead of storing the full color of every pixel, the image stores a small numbered code for each pixel, and a separate lookup table translates those codes into actual colors. It is an efficient system — but Android's decoder never checks whether a pixel's code number actually exists in the lookup table. An attacker crafts a DICOM file where some pixel codes point to numbers far beyond the end of the table. When the decoder faithfully follows those out-of-bounds numbers, it reads raw data from adjacent memory on the device's heap — the region of memory where running applications store sensitive information like authentication tokens, cached credentials, and decrypted personal data. That stolen memory content gets quietly embedded into the decoded image output, where a malicious app or remote server can then harvest it.

The attack requires no special permissions, no user interaction beyond opening the file, and no sophisticated malware already installed on the device. A convincingly named file — chest_xray_report.dcm, for example — sent through a hospital portal or a messaging app is the entire delivery mechanism.

The technical reality

The vulnerability originates in the DecodeLookupTable function inside DicomImageDecoder.cpp. For PALETTE COLOR photometric interpretation images, pixel index values are passed directly into lookup table memory reads without bounds validation against the declared table size. The out-of-bounds read exposes contiguous heap contents into the reconstructed image buffer — a classic information-disclosure primitive that, while not giving an attacker direct code execution on its own, provides high-value memory layout data that meaningfully lowers the bar for chaining additional exploits. No active exploitation has been confirmed in the wild at the time of publication, but the attack surface is broad and the triggering condition is trivially reproducible.

Who is at risk

Any Android user whose device opens DICOM files is exposed — that includes patients using telehealth apps, clinical staff using mobile imaging viewers, and anyone whose default file handler processes DICOM attachments automatically. Third-party medical imaging apps on Google Play that rely on Android's native decoder inherit the vulnerability directly. Organizations running mobile device management programs across clinical workforces should treat this as a priority patch event.

What you should do right now

1. Update Android immediately. Go to Settings → System → System Update and install any pending update. The fix is included in Android security patch level 2026-07-01 or later. Check your current patch level under Settings → About Phone → Android Security Update.

2. Audit your medical apps. Open Google Play, tap your profile icon, select Manage Apps & Device, and update every medical imaging or telehealth application listed. Apps on version 2.4.1 or later of affected imaging SDKs contain the patched decoder. If an app has not pushed an update within the past two weeks, contact the developer before using it to open scan files.

3. Do not open unsolicited DICOM files until patched. Ask your healthcare provider to share imaging results through their official portal rather than direct file attachments until you have confirmed your device is fully updated. No legitimate radiology platform will object to that request.