CVE-2025-14841 | THREATINT

Description

A flaw has been found in OFFIS DCMTK up to 3.6.9. The impacted element is the function DcmQueryRetrieveIndexDatabaseHandle::startFindRequest/DcmQueryRetrieveIndexDatabaseHandle::startMoveRequest in the library dcmqrdb/libsrc/dcmqrdbi.cc of the component dcmqrscp. This manipulation causes null pointer dereference. The attack requires local access. Upgrading to version 3.7.0 is sufficient to resolve this issue. Patch name: ffb1a4a37d2c876e3feeb31df4930f2aed7fa030. You should upgrade the affected component.

PUBLISHED Reserved 2025-12-17 | Published 2025-12-18 | Updated 2025-12-18 | Assigner VulDB

MEDIUM: 4.8CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

LOW: 3.3CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C

LOW: 3.3CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C

1.7AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C

Problem types

NULL Pointer Dereference

Denial of Service

Product status

3.6.0

affected

3.6.1

affected

3.6.2

affected

3.6.3

affected

3.6.4

affected

3.6.5

affected

3.6.6

affected

3.6.7

affected

3.6.8

affected

3.6.9

affected

3.7.0

unaffected

Timeline

2025-12-17:	Advisory disclosed
2025-12-17:	VulDB entry created
2025-12-17:	VulDB entry last update

Credits

KendrickZou (VulDB User) reporter

References

vuldb.com/?id.337004 (VDB-337004 | OFFIS DCMTK dcmqrscp dcmqrdbi.cc startMoveRequest null pointer dereference) vdb-entry technical-description

vuldb.com/?ctiid.337004 (VDB-337004 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/?submit.714605 (Submit #714605 | OFFIS DCMTK 3.6.9 Denial of Service) third-party-advisory

vuldb.com/?submit.714634 (Submit #714634 | OFFIS DCMTK 3.6.9 Denial of Service (Duplicate)) third-party-advisory

support.dcmtk.org/redmine/issues/1183 issue-tracking

github.com/...ommit/ffb1a4a37d2c876e3feeb31df4930f2aed7fa030 patch

github.com/DCMTK/dcmtk/releases/tag/DCMTK-3.7.0 patch

cve.org (CVE-2025-14841)

nvd.nist.gov (CVE-2025-14841)

Download JSON