CVE-2026-3650 is an unpatched memory leak vulnerability (CWE-401, CVSS 7.5) in the GDCM open-source DICOM library that can crash any application embedding it via malformed DICOM input, including PACS servers, radiology workstations, and imaging gateways. No upstream patch is currently available, making compensating controls — DICOM traffic allowlisting, source IP restrictions on ports 104/TCP and 11112/TCP, and SBOM enumeration to identify all affected systems — the only available risk reduction path until a vendor fix is released. Healthcare organizations should contact imaging system vendors for product-specific advisories, as GDCM is frequently embedded in commercial clinical applications.