CVE-2025-25474: 
Linux Debian vulnerability analysis and mitigation

DCMTK v3.6.9+ DEV was discovered to contain a buffer overflow vulnerability via the component /dcmimgle/diinpxt.h. The vulnerability was identified in February 2025 and assigned CVE-2025-25474. The issue affects the DCMTK (DICOM Toolkit) software's image processing functionality (MITRE CVE).

The vulnerability occurs when processing invalid DICOM images where the number of pixels stored does not match the expected number of pixels (too few) and the combination of BitsAllocated and BitsStored has unusual values (e.g., 1 bit stored with 52 bits allocated). A buffer overflow on the heap occurs when the last pixel doesn't fit into the input pixel data buffer. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (NVD Database).

The buffer overflow vulnerability could potentially lead to unauthorized access to memory locations and possible code execution. The CVSS score indicates that the vulnerability has low to medium impact on confidentiality and integrity, with no direct impact on availability (NVD Database).

A fix has been implemented that ensures the last entry of the buffer is filled with the smallest possible value (e.g., 0 in case of unsigned data) when processing invalid DICOM images. The fix is available in the DCMTK repository through commit 1d205bcd307164c99e0d4bbf412110372658d847 (DCMTK Git).