CVE-2025-14841 identifies a null pointer dereference vulnerability in the OFFIS DCMTK library, specifically within the DcmQueryRetrieveIndexDatabaseHandle class's startFindRequest and startMoveRequest functions in the dcmqrscp component. DCMTK is a widely used open-source toolkit for handling DICOM medical imaging data and services. The flaw arises when these functions improperly handle certain input or state conditions, leading to dereferencing a null pointer, which causes the application to crash or behave unpredictably. This vulnerability requires local attacker access to the system running the vulnerable DCMTK versions (3.6.0 through 3.6.9). No user interaction or elevated privileges beyond local access are necessary, and the flaw does not impact confidentiality or integrity directly but affects availability by causing denial of service. The vulnerability has a CVSS 4.8 (medium) score, reflecting its moderate impact and limited attack vector. The issue is fixed in version 3.7.0 of DCMTK, and the patch is identified by commit ffb1a4a37d2c876e3feeb31df4930f2aed7fa030. No known exploits have been reported in the wild, but the vulnerability could be leveraged by insiders or attackers with local access to disrupt medical imaging services.

The primary impact of this vulnerability is denial of service due to application crashes caused by null pointer dereference. Organizations relying on DCMTK for DICOM query/retrieve services, especially in healthcare environments, may experience interruptions in medical imaging workflows, potentially delaying diagnosis or treatment. Since DCMTK is often integrated into PACS (Picture Archiving and Communication Systems) and other medical imaging infrastructure, this could affect hospital operations and patient care. The requirement for local access limits remote exploitation, reducing the risk of widespread attacks, but insider threats or compromised local accounts could exploit this flaw. The vulnerability does not directly compromise patient data confidentiality or integrity but impacts system availability, which is critical in healthcare settings. Given the specialized nature of DCMTK, the impact is mostly confined to healthcare providers, medical device manufacturers, and related service providers.

Organizations should upgrade all affected DCMTK instances to version 3.7.0 or later to fully remediate this vulnerability. Until the upgrade is applied, restrict local access to systems running DCMTK to trusted personnel only, and monitor for unusual application crashes or service disruptions related to dcmqrscp. Implement strict access controls and auditing on systems hosting DCMTK to detect and prevent unauthorized local access. Consider deploying application-level monitoring to detect abnormal behavior in DICOM query/retrieve operations. Additionally, review and harden the underlying operating system and network segmentation to limit the attack surface. For environments where immediate upgrade is not feasible, applying runtime protections such as memory safety tools or sandboxing the DCMTK processes may reduce risk. Finally, maintain up-to-date backups and incident response plans to quickly recover from any denial of service incidents.