CVE-2025-14841 in DCMTK
Summary
by MITRE • 12/18/2025
A flaw has been found in OFFIS DCMTK up to 3.6.9. The impacted element is the function DcmQueryRetrieveIndexDatabaseHandle::startFindRequest/DcmQueryRetrieveIndexDatabaseHandle::startMoveRequest in the library dcmqrdb/libsrc/dcmqrdbi.cc of the component dcmqrscp. This manipulation causes null pointer dereference. The attack requires local access. Upgrading to version 3.7.0 is sufficient to resolve this issue. Patch name: ffb1a4a37d2c876e3feeb31df4930f2aed7fa030. You should upgrade the affected component.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/21/2025
The vulnerability identified as CVE-2025-14841 represents a critical null pointer dereference flaw within the OFFIS DCMTK library, specifically affecting the DcmQueryRetrieveIndexDatabaseHandle::startFindRequest and DcmQueryRetrieveIndexDatabaseHandle::startMoveRequest functions. This issue resides in the dcmqrdb/libsrc/dcmqrdbi.cc file of the dcmqrscp component, which forms part of the broader DICOM (Digital Imaging and Communications in Medicine) standard implementation used extensively in healthcare imaging systems. The flaw manifests when these functions process query and move requests within the DICOM query/retrieve service, creating a scenario where a null pointer is dereferenced during normal operation. This vulnerability falls under CWE-476, which specifically addresses null pointer dereference conditions that can lead to application crashes or potential exploitation.
The attack vector for this vulnerability requires local system access, meaning an attacker must already have access to the system running the DCMTK software to exploit this flaw. This local requirement significantly limits the attack surface compared to remote exploits but still represents a serious security concern given that local access often implies either physical access to the system or compromise of a user account with sufficient privileges. The vulnerability can cause the DICOM server process to crash or terminate unexpectedly, leading to denial of service conditions that could disrupt critical medical imaging workflows. In healthcare environments where DICOM servers manage patient imaging data and facilitate communication between medical devices, such disruptions can have serious operational and patient safety implications.
The technical impact of this vulnerability extends beyond simple service disruption as it represents a fundamental flaw in how the DICOM query/retrieve service handles request processing. When the startFindRequest and startMoveRequest functions are invoked, the code fails to properly validate pointer references before dereferencing them, creating a scenario where memory access violations occur. This type of vulnerability is particularly concerning in medical imaging environments where system reliability is paramount, as it could potentially be exploited to cause service interruptions during critical procedures or data transfers. The vulnerability affects all versions of OFFIS DCMTK up to and including version 3.6.9, making it a widespread issue that requires immediate attention from healthcare organizations and medical device manufacturers using these libraries.
The recommended mitigation strategy involves upgrading to OFFIS DCMTK version 3.7.0, which includes the patch identified by the commit hash ffb1a4a37d2c876e3feeb31df4930f2aed7fa030. This upgrade addresses the null pointer dereference by implementing proper pointer validation before any dereference operations occur in the affected functions. Organizations should prioritize this upgrade as part of their security maintenance procedures, particularly given the local access requirement that limits the exploitation window but does not eliminate the threat entirely. The patch implementation follows standard security practices for correcting memory safety issues and aligns with ATT&CK technique T1499.004, which covers network denial of service attacks that can be facilitated through application-level vulnerabilities. Healthcare organizations should also consider implementing additional monitoring and alerting mechanisms to detect potential exploitation attempts or service disruptions related to this vulnerability, especially in environments where DICOM services are critical to patient care operations.