CVE-2025-14607
published 2025-12-13CVE-2025-14607: A vulnerability was detected in OFFIS DCMTK up to 3.6.9. Affected by this issue is the function DcmByteString::makeDicomByteString of the file…
PriorityP340medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EPSS
0.23%
14.1th percentile
A vulnerability was detected in OFFIS DCMTK up to 3.6.9. Affected by this issue is the function DcmByteString::makeDicomByteString of the file dcmdata/libsrc/dcbytstr.cc of the component dcmdata. The manipulation results in memory corruption. The attack can be launched remotely. Upgrading to version 3.7.0 can resolve this issue. The patch is identified as 4c0e5c10079392c594d6a7abd95dd78ac0aa556a. You should upgrade the affected component.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | dcmtk | < dcmtk 3.6.5-1+deb11u6 (bullseye) | dcmtk 3.6.5-1+deb11u6 (bullseye) |
| offis | dcmtk | — | — |
| offis | dcmtk | — | — |
| offis | dcmtk | — | — |
| offis | dcmtk | — | — |
| offis | dcmtk | — | — |
| offis | dcmtk | — | — |
| offis | dcmtk | — | — |
| offis | dcmtk | — | — |
| offis | dcmtk | — | — |
| offis | dcmtk | — | — |
| offis | dcmtk | >= 0 < 3.6.5-1+deb11u6 | 3.6.5-1+deb11u6 |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8cqp-6cwx-f84x: A vulnerability was detected in OFFIS DCMTK up to 3
ghsa_unreviewed·2025-12-13
CVE-2025-14607 [MEDIUM] CWE-119 GHSA-8cqp-6cwx-f84x: A vulnerability was detected in OFFIS DCMTK up to 3
A vulnerability was detected in OFFIS DCMTK up to 3.6.9. Affected by this issue is the function DcmByteString::makeDicomByteString of the file dcmdata/libsrc/dcbytstr.cc of the component dcmdata. The manipulation results in memory corruption. The attack can be launched remotely. Upgrading to version 3.7.0 can resolve this issue. The patch is identified as 4c0e5c10079392c594d6a7abd95dd78ac0aa556a. You should upgrade the affected component.
OSV
CVE-2025-14607: A vulnerability was detected in OFFIS DCMTK up to 3
osv·2025-12-13·CVSS 5.3
CVE-2025-14607 [MEDIUM] CVE-2025-14607: A vulnerability was detected in OFFIS DCMTK up to 3
A vulnerability was detected in OFFIS DCMTK up to 3.6.9. Affected by this issue is the function DcmByteString::makeDicomByteString of the file dcmdata/libsrc/dcbytstr.cc of the component dcmdata. The manipulation results in memory corruption. The attack can be launched remotely. Upgrading to version 3.7.0 can resolve this issue. The patch is identified as 4c0e5c10079392c594d6a7abd95dd78ac0aa556a. You should upgrade the affected component.
Red Hat
dcmtk: OFFIS DCMTK: Remote memory corruption vulnerability
vendor_redhat·2025-12-13·CVSS 5.3
CVE-2025-14607 [MEDIUM] CWE-119 dcmtk: OFFIS DCMTK: Remote memory corruption vulnerability
dcmtk: OFFIS DCMTK: Remote memory corruption vulnerability
A vulnerability was detected in OFFIS DCMTK up to 3.6.9. Affected by this issue is the function DcmByteString::makeDicomByteString of the file dcmdata/libsrc/dcbytstr.cc of the component dcmdata. The manipulation results in memory corruption. The attack can be launched remotely. Upgrading to version 3.7.0 can resolve this issue. The patch is identified as 4c0e5c10079392c594d6a7abd95dd78ac0aa556a. You should upgrade the affected component.
A flaw was found in OFFIS DCMTK (Digital Imaging and Communications in Medicine Toolkit). This vulnerability allows memory corruption via a remote attack.
Statement: This vulnerability is rated Moderate for Red Hat products. A memory corruption flaw exists in the `DcmByteString::makeDicomByteSt
Debian
CVE-2025-14607: dcmtk - A vulnerability was detected in OFFIS DCMTK up to 3.6.9. Affected by this issue ...
vendor_debian·2025·CVSS 5.3
CVE-2025-14607 [MEDIUM] CVE-2025-14607: dcmtk - A vulnerability was detected in OFFIS DCMTK up to 3.6.9. Affected by this issue ...
A vulnerability was detected in OFFIS DCMTK up to 3.6.9. Affected by this issue is the function DcmByteString::makeDicomByteString of the file dcmdata/libsrc/dcbytstr.cc of the component dcmdata. The manipulation results in memory corruption. The attack can be launched remotely. Upgrading to version 3.7.0 can resolve this issue. The patch is identified as 4c0e5c10079392c594d6a7abd95dd78ac0aa556a. You should upgrade the affected component.
Scope: local
bookworm: open
bullseye: resolved (fixed in 3.6.5-1+deb11u6)
forky: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-14607 dcmtk: OFFIS DCMTK: Remote memory corruption vulnerability [fedora-42]
bugzilla·2025-12-17·CVSS 5.3
CVE-2025-14607 [MEDIUM] CVE-2025-14607 dcmtk: OFFIS DCMTK: Remote memory corruption vulnerability [fedora-42]
CVE-2025-14607 dcmtk: OFFIS DCMTK: Remote memory corruption vulnerability [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug re
Wiz
CVE-2025-14607 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14607 [MEDIUM] CVE-2025-14607 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14607 :
Linux Debian vulnerability analysis and mitigation
A vulnerability was detected in OFFIS DCMTK up to 3.6.9. Affected by this issue is the function DcmByteString::makeDicomByteString of the file dcmdata/libsrc/dcbytstr.cc of the component dcmdata. The manipulation results in memory corruption. The attack can be launched remotely. Upgrading to version 3.7.0 can resolve this issue. The patch is identified as 4c0e5c10079392c594d6a7abd95dd78ac0aa556a. You should upgrade the affected component.
Source : NVD
## 5.3
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Linux Debian
Echo
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27.8
E
https://github.com/DCMTK/dcmtk/commit/4c0e5c10079392c594d6a7abd95dd78ac0aa556ahttps://support.dcmtk.org/redmine/issues/1184https://support.dcmtk.org/redmine/projects/dcmtk/activity?from=2025-12-02https://support.dcmtk.org/redmine/versions/19https://vuldb.com/?ctiid.336283https://vuldb.com/?id.336283https://vuldb.com/?submit.705036
2025-12-13
Published