CVE-2025-14841 identifies a null pointer dereference vulnerability in the OFFIS DCMTK library, specifically within the DcmQueryRetrieveIndexDatabaseHandle class's startFindRequest and startMoveRequest functions, located in the dcmqrscp component's source file dcmqrdbi.cc. This flaw arises when these functions handle certain requests, leading to dereferencing a null pointer, which causes the application to crash. The vulnerability requires local access with low privileges and does not require user interaction, making it exploitable by an authenticated local user or process. The impact is primarily a denial of service, as the affected service handling DICOM query/retrieve operations can be terminated unexpectedly. DCMTK is widely used in medical imaging environments for handling DICOM data, including query/retrieve services. The vulnerability affects all versions from 3.6.0 through 3.6.9, with the issue resolved in version 3.7.0. No known exploits have been reported in the wild, and the CVSS v4.0 score is 4.8 (medium severity), reflecting the limited scope and impact. The patch identified by commit ffb1a4a37d2c876e3feeb31df4930f2aed7fa030 addresses the null pointer dereference by adding necessary checks or handling to prevent the crash. Organizations relying on DCMTK for medical imaging workflows should upgrade promptly to avoid service disruptions.

The primary impact of CVE-2025-14841 is denial of service due to application crashes caused by null pointer dereference in DCMTK's query/retrieve service. For European healthcare organizations, this can disrupt critical medical imaging workflows, potentially delaying diagnosis and treatment. Although the vulnerability does not expose patient data or allow privilege escalation, service unavailability in healthcare environments can have serious operational consequences. Given the reliance on DCMTK in many European hospitals and imaging centers, unpatched systems may experience interruptions in DICOM query/retrieve operations, affecting interoperability and clinical efficiency. The requirement for local access limits remote exploitation, but insider threats or compromised local accounts could trigger the vulnerability. No known exploits in the wild reduce immediate risk, but the potential for denial of service in sensitive environments warrants timely remediation. Compliance with healthcare regulations such as GDPR and medical device directives also necessitates maintaining secure and stable systems, making patching essential.

To mitigate CVE-2025-14841, affected organizations should upgrade all DCMTK installations to version 3.7.0 or later, which contains the fix for the null pointer dereference. In environments where immediate upgrade is not feasible, implementing strict access controls to limit local user permissions on systems running DCMTK can reduce exploitation risk. Monitoring and logging local access to DCMTK services should be enhanced to detect unusual activity that might trigger the vulnerability. Additionally, isolating DCMTK services within dedicated, hardened hosts or containers can limit the impact of potential crashes. Regularly reviewing and applying vendor patches and updates is critical. Healthcare organizations should also conduct impact assessments and test the upgraded versions in staging environments to ensure compatibility with existing medical imaging workflows before deployment. Finally, integrating DCMTK service availability monitoring into operational dashboards can provide early warning of service disruptions.