CVE-2025-14841

LOW

OFFIS DCMTK <3.6.9 - Null Pointer Dereference

Title source: llm

Description

A flaw has been found in OFFIS DCMTK up to 3.6.9. The impacted element is the function DcmQueryRetrieveIndexDatabaseHandle::startFindRequest/DcmQueryRetrieveIndexDatabaseHandle::startMoveRequest in the library dcmqrdb/libsrc/dcmqrdbi.cc of the component dcmqrscp. This manipulation causes null pointer dereference. The attack requires local access. Upgrading to version 3.7.0 is sufficient to resolve this issue. Patch name: ffb1a4a37d2c876e3feeb31df4930f2aed7fa030. You should upgrade the affected component.

References (7)

[Permissions Required, VDB Entry] https://vuldb.com/?id.337004

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.337004

[Permissions Required, VDB Entry] https://vuldb.com/?submit.714605

[Permissions Required, VDB Entry] https://vuldb.com/?submit.714634

[Issue Tracking] https://support.dcmtk.org/redmine/issues/1183

[Patch] https://github.com/DCMTK/dcmtk/commit/ffb1a4a37d2c876e3feeb31df4930f2aed7fa030

View Patch ZIP pw:eip

[Release Notes] https://github.com/DCMTK/dcmtk/releases/tag/DCMTK-3.7.0

Scores

CVSS v3 3.3

EPSS 0.0004

EPSS Percentile 10.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-404 CWE-476

Status published

Products (11)

OFFIS/DCMTK 3.6.0

OFFIS/DCMTK 3.6.1

OFFIS/DCMTK 3.6.2

OFFIS/DCMTK 3.6.3

OFFIS/DCMTK 3.6.4

OFFIS/DCMTK 3.6.5

OFFIS/DCMTK 3.6.6

OFFIS/DCMTK 3.6.7

OFFIS/DCMTK 3.6.8

OFFIS/DCMTK 3.6.9

... and 1 more

Published Dec 18, 2025

Tracked Since Feb 18, 2026