CVE-2025-25475
Published: 18 February 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-25475 is a NULL pointer dereference vulnerability (CWE-476) affecting the /libsrc/dcrleccd.cc component in DCMTK v3.6.9+ DEV versions. Published on 2025-02-18, it enables attackers to trigger a Denial of Service (DoS) by processing a crafted DICOM file. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high severity due to its network accessibility, low complexity, and significant availability impact with no privileges or user interaction required.
Remote, unauthenticated attackers can exploit this vulnerability by supplying a malicious DICOM file to any DCMTK-based application or service that parses such files, such as medical imaging systems. Exploitation leads to an application crash via the NULL pointer dereference, resulting in DoS without affecting confidentiality or integrity.
Mitigation patches are available in DCMTK's repository via commit bffa3e9116abb7038b432443f16b1bd390e80245, accessible through the project's Git and GitHub mirrors. Debian LTS has also addressed the issue in an announcement dated 2025/06. Security practitioners should update affected DCMTK instances and validate DICOM inputs where possible.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
NULL pointer dereference in DICOM parser enables remote unauthenticated application crash/DoS via crafted file, directly matching application exploitation for endpoint denial of service.