CVE-2025-31946 is a use-after-free vulnerability identified in Pixmeo's OsiriX MD software, a medical imaging application widely used for viewing and processing DICOM files. The vulnerability arises when a locally executed attacker imports a specially crafted DICOM file, triggering a use-after-free condition in the application's memory management. This flaw can lead to memory corruption or cause the system to crash. The vulnerability does not require any authentication or user interaction beyond the import of the malicious file, and it is exploitable locally, meaning an attacker must have access to the system to exploit it. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the local attack vector but high impact on availability due to potential system crashes or memory corruption. The vulnerability is categorized under CWE-416 (Use After Free), which typically allows attackers to manipulate program flow or cause denial of service. No known exploits are currently reported in the wild, and no patches have been published yet. The affected versions are not specifically detailed, but the vulnerability affects OsiriX MD generally. Given the nature of the software—used primarily in medical environments for diagnostic imaging—this vulnerability poses a risk to the stability and reliability of critical healthcare systems if exploited.

For European organizations, particularly healthcare providers and medical research institutions relying on OsiriX MD for diagnostic imaging, this vulnerability could disrupt clinical workflows by causing application crashes or system instability. Such disruptions may delay patient diagnosis and treatment, impacting patient safety and care quality. Additionally, memory corruption could potentially be leveraged for further exploitation, although no evidence currently suggests remote exploitation or privilege escalation. The local attack requirement limits the threat to insiders or attackers with physical or remote access to the system. However, given the sensitive nature of medical data and the critical role of imaging software, even temporary denial of service or system instability can have significant operational and reputational consequences. Compliance with EU regulations such as GDPR and the Medical Device Regulation (MDR) also means that organizations must address such vulnerabilities promptly to avoid regulatory penalties.

European healthcare organizations should implement strict access controls to limit who can import DICOM files into OsiriX MD, ensuring only trusted personnel handle such files. Network segmentation and endpoint security measures should be enforced to prevent unauthorized local access. Regular monitoring for abnormal application behavior or crashes can help detect exploitation attempts early. Until an official patch is released, organizations could consider isolating systems running OsiriX MD from untrusted networks and disabling or restricting the import of external DICOM files where feasible. Additionally, maintaining up-to-date backups and incident response plans tailored to medical imaging systems will reduce downtime impact. Coordination with Pixmeo for timely patch deployment and applying any available vendor mitigations as soon as they are released is critical. Finally, conducting user training to raise awareness about the risks of importing unverified DICOM files can reduce accidental exposure.