CVE-2025-9732: 
NixOS vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-9732) was identified in DCMTK versions up to 3.6.9, affecting the dcm2img component's library function in dcmimage/include/dcmtk/dcmimage/diybrpxt.h. The vulnerability was discovered on August 31, 2025, and involves memory corruption issues that require local access to exploit (NVD, VulDB).

The vulnerability stems from improper memory buffer operations where the system can read from or write to memory locations outside the intended boundary. The issue specifically occurs when processing invalid DICOM images with a Photometric Interpretation of 'YBR_FULL' and a Planar Configuration of '1' where the number of stored pixels doesn't match the expected count. The vulnerability has received a CVSS v3.1 Base Score of 7.8 (HIGH) and a CVSS v4.0 Base Score of 4.8 (MEDIUM) (NVD, GitHub).

The vulnerability affects the confidentiality, integrity, and availability of the system. When exploited, it can lead to memory corruption through improper validation of pixel pointers during YBR conversion, resulting in illegal memory access and potential system crashes (VulDB, Submit).

A patch (7ad81d69b) has been released to address this vulnerability. The fix prevents processing of invalid pixel data and instead creates an empty image with black pixels, while warning users through an appropriate log message. It is recommended to apply this patch to affected systems (GitHub).