Your Medical Imaging App Could Be Leaking Private Memory to Anyone Who Sends You a Corrupted Scan

A single corrupted medical image — the kind routinely sent between doctors, hospitals, and patients — can silently expose the private contents of your Android device's memory to an attacker without you ever knowing it happened.

What's happening

Researchers have disclosed CVE-2026-5445, a critical-rated vulnerability (CVSS 9.1) affecting the way Android devices decode a specific type of medical image format called DICOM. DICOM — Digital Imaging and Communications in Medicine — is the universal file format used to store and transmit X-rays, MRIs, CT scans, and ultrasounds. It's everywhere in modern healthcare: on hospital portals, telehealth apps, radiology platforms, and the patient-facing tools millions of people use to access their own health records. Android devices are increasingly common in clinical environments too, used by nurses, radiologists, and physicians on the floor. This flaw puts all of them at risk. Security teams are being urged to act quickly even though no confirmed attacks have been observed yet — that window tends to close fast once a CVSS 9.1 vulnerability becomes public knowledge.

How the attack works

Imagine a color-by-numbers painting kit. Each square in the image contains a number, and a separate lookup chart tells you which color that number corresponds to. The whole system only works if every number in the painting stays within the range of colors listed on the chart. Now imagine someone hands you a painting where some squares contain numbers that don't exist on your chart — say, number 9,000 when your chart only goes to 256. A careful person would stop and say this doesn't make sense. Android's DICOM decoder does not stop. It keeps reading, grabbing whatever color information happens to be sitting in the computer's memory just beyond the end of the chart — memory that was never meant to be read, memory that could contain passwords, session tokens, encryption keys, or fragments of other apps running on the device.

An attacker exploiting this flaw doesn't need to trick you into installing anything. They craft a malicious DICOM image — one using a special color mode called PALETTE COLOR — and get it in front of you through any plausible channel: a phishing email pretending to be your radiology clinic, a malicious file shared through a healthcare portal, or even an intercepted file transfer on an unencrypted hospital network. The moment a vulnerable Android app renders the image, the decoder reads beyond its allocated memory and the exposed heap contents get embedded directly into the output image data, potentially recoverable by the attacker downstream.

The technical reality

The vulnerability lives inside DicomImageDecoder.cpp, specifically within the DecodeLookupTable function responsible for processing PALETTE COLOR photometric interpretation images. The decoder iterates over pixel indices and uses them to index directly into a pre-allocated lookup table buffer without first validating that each index falls within the table's declared size bounds. This is a classic out-of-bounds read (CWE-125) — the attacker controls the pixel index values inside the crafted file, and by setting those values to exceed the palette size, they can direct reads to arbitrary offsets beyond the heap buffer. Because the decoded pixel values are written into the output image rather than discarded, the exposed heap contents become accessible as image data, making this a heap memory disclosure primitive that is both reliable and difficult to detect in transit. No memory corruption or code execution is required to extract sensitive data.

Who is at risk

Any Android application that parses DICOM files using the affected decoder component is potentially vulnerable. This includes dedicated medical imaging apps, hospital EMR clients, telehealth platforms, and any consumer app that allows users to import or view their own health records. The risk is highest for clinical Android deployments where devices regularly receive DICOM files from external sources, and for patient-facing healthcare apps where users might open files received via email or messaging. Devices running affected Android builds without the patched decoder are vulnerable regardless of Android OS version.

What you should do right now

1. Update immediately. Check your medical imaging or health record app for updates and install any release that references a fix for CVE-2026-5445. Patch notes may describe it as a fix for "DICOM palette color decoding" or "image decoder memory safety." Don't wait for your device's auto-update cycle — do it manually today.
2. Restrict DICOM file sources. Until you've confirmed you're running a patched version, only open DICOM files from sources you directly control — your hospital's official portal accessed through a verified browser, not files forwarded through email, SMS, or third-party messaging apps. Treat any unsolicited medical image file as untrusted.
3. Escalate in clinical environments. If you manage Android devices in a hospital, clinic, or telehealth context, treat this as a priority patch event. Audit which apps on your fleet handle DICOM rendering, cross-reference against vendor advisories published after June 2026, and consider temporarily disabling DICOM file import functionality in MDM policy until patched builds are confirmed deployed across all managed devices.