CVE-2025-9732: 
NixOS vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-9732) was identified in DCMTK versions up to 3.6.9, specifically affecting the dcm2img component in the library dcmimage/include/dcmtk/dcmimage/diybrpxt.h. The vulnerability was discovered on August 30, 2025, and publicly disclosed on August 31, 2025 (VulDB).

The vulnerability is classified as a memory corruption issue (CWE-119), where the application performs operations on a memory buffer but can read from or write to memory locations outside the intended boundary. The vulnerability has received a CVSS v3.1 base score of 5.3 (Medium) and a CVSS v4.0 score of 4.8 (Medium). The attack vector is local (AV:L), requiring low attack complexity (AC:L) with low privileges (PR:L) and no user interaction (UI:N) (VulDB, NVD).

The vulnerability affects the confidentiality, integrity, and availability of the system, with each having a low impact rating. The issue specifically occurs when processing invalid DICOM images with a Photometric Interpretation of 'YBR_FULL' and a Planar Configuration of '1' where the number of stored pixels does not match the expected count (GitHub).

A patch (7ad81d69b) has been released to address this vulnerability. The fix involves modifying how the application handles invalid DICOM images by creating an empty image with black pixels instead of processing invalid pixel data, along with implementing appropriate warning messages (GitHub).