Skip to main content

OFFIS DCMTK CVE-2025-14841

LOW
Improper Resource Shutdown or Release (CWE-404)
2025-12-18 cna@vuldb.com
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:48 vuln.today

DescriptionCVE.org

A flaw has been found in OFFIS DCMTK up to 3.6.9. The impacted element is the function DcmQueryRetrieveIndexDatabaseHandle::startFindRequest/DcmQueryRetrieveIndexDatabaseHandle::startMoveRequest in the library dcmqrdb/libsrc/dcmqrdbi.cc of the component dcmqrscp. This manipulation causes null pointer dereference. The attack requires local access. Upgrading to version 3.7.0 is sufficient to resolve this issue. Patch name: ffb1a4a37d2c876e3feeb31df4930f2aed7fa030. You should upgrade the affected component.

AnalysisAI

Null pointer dereference in OFFIS DCMTK up to version 3.6.9 within the DcmQueryRetrieveIndexDatabaseHandle::startFindRequest and DcmQueryRetrieveIndexDatabaseHandle::startMoveRequest functions in dcmqrscp causes denial of service. The vulnerability requires local access with low privilege level and results in availability impact through service crash. No public exploit code is confirmed, and EPSS exploitation probability is extremely low at 0.04%, indicating this is a low-priority reliability issue rather than an active security threat.

Technical ContextAI

DCMTK (DICOM Toolkit) is an open-source library for handling DICOM (Digital Imaging and Communications in Medicine) data. The vulnerability exists in the dcmqrscp component, specifically in the dcmqrdb/libsrc/dcmqrdbi.cc library file. The DcmQueryRetrieveIndexDatabaseHandle class implements query and retrieve operations for DICOM services. The flaw is a null pointer dereference (CWE-404), a memory corruption issue where the code attempts to dereference a pointer that has not been properly validated before use. This occurs in the query find request and move request handlers, which are core DICOM query/retrieve protocol operations invoked by remote DICOM clients but requiring local process-level access to trigger.

Affected ProductsAI

OFFIS DCMTK versions from the earliest version up to and including 3.6.9 are affected. The vulnerability exists in the dcmqrscp component within the dcmqrdb library. The affected product CPE is not explicitly provided in the reference data, but DCMTK releases are available at https://github.com/DCMTK/dcmtk/releases. All installations using DCMTK 3.6.9 or earlier with dcmqrscp deployed should be considered vulnerable.

RemediationAI

Upgrade OFFIS DCMTK to version 3.7.0 or later, which contains the fix. The patch is identified by commit hash ffb1a4a37d2c876e3feeb31df4930f2aed7fa030. For organizations unable to upgrade immediately, restrict local access to systems running dcmqrscp to trusted users only by implementing operating-system-level access controls (group membership, privilege restrictions) on the process and its data directory. Monitor dcmqrscp process logs for crash events that may indicate null pointer dereference exploitation attempts. The availability impact is limited to service disruption (crash/restart) rather than data loss, so the actual operational risk of delay is low. See https://support.dcmtk.org/redmine/issues/1183 for additional context.

Share

CVE-2025-14841 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy