CVE-2025-9732

NameCVE-2025-9732
DescriptionA vulnerability was identified in DCMTK up to 3.6.9. This affects an unknown function in the library dcmimage/include/dcmtk/dcmimage/diybrpxt.h of the component dcm2img. Such manipulation leads to memory corruption. Local access is required to approach this attack. The name of the patch is 7ad81d69b. It is best practice to apply a patch to resolve this issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4363-1
Debian Bugs1113993

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dcmtk (PTS)bullseye3.6.5-1vulnerable
bullseye (security)3.6.5-1+deb11u5fixed
bookworm3.6.7-9~deb12u3vulnerable
forky, sid, trixie3.6.9-5vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dcmtksourcebullseye3.6.5-1+deb11u5DLA-4363-1
dcmtksource(unstable)(unfixed)1113993

Notes

[trixie] - dcmtk <no-dsa> (Minor issue)
[bookworm] - dcmtk <no-dsa> (Minor issue)
https://github.com/DCMTK/dcmtk/commit/7ad81d69b19714936e18ea5fc74edaeb9f021ce7
https://github.com/DCMTK/dcmtk/commit/3de96da6cd66b1af7224561c568bc3de50cd1398
Search for package or bug name: Reporting problems