CVE-2025-14841 identifies a null pointer dereference vulnerability in the OFFIS DCMTK library, specifically affecting versions 3.6.0 through 3.6.9. The flaw resides in the DcmQueryRetrieveIndexDatabaseHandle class within the dcmqrscp component, particularly in the startFindRequest and startMoveRequest functions located in dcmqrdb/libsrc/dcmqrdbi.cc. When these functions are invoked with certain manipulated inputs, a null pointer dereference occurs, leading to application instability or crashes. Exploitation requires local access with low complexity and no user interaction, meaning an attacker must have some level of local system privileges but does not need to trick a user or perform complex steps. The vulnerability does not affect confidentiality or integrity directly but impacts availability by causing denial of service conditions in systems handling DICOM query/retrieve operations. DCMTK is widely used in medical imaging environments for managing DICOM data, making this vulnerability particularly relevant to healthcare providers and associated IT infrastructure. The issue is resolved by upgrading to DCMTK version 3.7.0, which includes a patch that prevents the null pointer dereference. No known exploits are currently reported in the wild, but the presence of local access requirements limits remote exploitation. Given the critical role of DCMTK in medical imaging workflows, unpatched systems may experience service disruptions affecting patient care processes.

The primary impact of CVE-2025-14841 is on the availability of medical imaging systems that utilize the DCMTK library for DICOM query and retrieval operations. In European healthcare environments, where DCMTK is commonly deployed, exploitation could lead to denial of service conditions, causing interruptions in accessing or transferring medical imaging data. This can delay diagnostics and treatment, potentially affecting patient outcomes. Since the vulnerability requires local access, the risk is higher in environments where multiple users have system-level access or where insider threats exist. The flaw does not compromise data confidentiality or integrity, so data breaches or manipulation are unlikely. However, the disruption of critical healthcare IT services can have significant operational and reputational consequences. European healthcare providers with integrated PACS (Picture Archiving and Communication Systems) and RIS (Radiology Information Systems) relying on DCMTK are particularly at risk. The impact is mitigated by the availability of a fixed version, but failure to patch could result in repeated service outages and increased operational costs.

To mitigate CVE-2025-14841, organizations should promptly upgrade all DCMTK deployments to version 3.7.0 or later, which contains the fix for the null pointer dereference. Restrict local access to systems running DCMTK to trusted and authorized personnel only, minimizing the risk of exploitation by insiders or compromised accounts. Implement strict access controls and monitoring on servers hosting the dcmqrscp service to detect unusual activity or repeated crashes that may indicate exploitation attempts. Employ application whitelisting and endpoint protection to prevent unauthorized code execution or manipulation of DCMTK components. Regularly audit and review user privileges to ensure the principle of least privilege is enforced. In environments where immediate upgrading is not feasible, consider isolating affected systems from non-essential users and networks to reduce exposure. Maintain comprehensive logging of DCMTK operations to facilitate incident response and forensic analysis if exploitation is suspected. Finally, integrate DCMTK patch management into the broader healthcare IT security lifecycle to ensure timely updates in the future.