Buffer overflow in Offis Dcmtk
CVE-2025-14607
A vulnerability was detected in OFFIS DCMTK up to 3.6.9. Affected by this issue is the function DcmByteString::makeDicomByteString of the file dcmdata/libsrc/dcbytstr.cc of the component dcmdata. The manipulation results in memory corrupti…
Vulnerability class: Buffer Overflow
EPSS: 0.001 (26.0th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 6.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C.
Affected products
- Offis Dcmtk — versions 3.6.0, 3.6.1, 3.6.2
Weakness classification (CWE)
References
- VDB-336283 | OFFIS DCMTK dcmdata dcbytstr.cc makeDicomByteString memory corruption (vdb-entry, technical-description)
- VDB-336283 | CTI Indicators (IOB, IOC, IOA) (signature, permissions-required)
- Submit #705036 | OFFIS DCMTK 3.6.9 Buffer Overflow (third-party-advisory)
- support.dcmtk.org/redmine/issues/1184 (issue-tracking)
- support.dcmtk.org/redmine/projects/dcmtk/activity (related)
- github.com/DCMTK/dcmtk/commit/4c0e5c10079392c594d6a7abd95dd78ac0aa556a (patch)
- support.dcmtk.org/redmine/versions/19 (patch)
Frequently asked questions
- What is CVE-2025-14607?
- CVE-2025-14607 is a medium-severity vulnerability in Offis Dcmtk, classified under Improper Restriction of Operations within the Bounds of a Memory Buffer. CVSS score: 6.3/10. Published 2025-12-13.
- How severe is CVE-2025-14607?
- Medium severity. CVSS v3 base score is 6.3 out of 10.