Menu

#573 CVE-2025-48429

3.0.25
open
Pierre Le Duff
None
5
2026-04-14
2026-01-07
Pierre Le Duff
No

This description is extracted from https://talosintelligence.com/vulnerability_reports/TALOS-2025-2214

126. class RLEHeader
127. {
128. public:
129.   uint32_t NumSegments;
130.   uint32_t Offset[15];
131. 
132.   void Print(std::ostream &os)
133.     {
134.     os << "NumSegments:" << NumSegments << "\n";
135.     for(int i=0; i<15; ++i)
136.       {
137.       os << i << ":" << Offset[i] << "\n";
138.       }
139.     }
140. };

We can observe that Offset is a fixed-size array of uint32_t with a length of 15. If the NumSegments variable—sourced from frame.Header.NumSegments at LINE 11—is set to a value larger than the maximum number of entries in the Offset array LINE 130, this leads to an out-of-bounds access and causes the crash. A malformed DICOM file can manipulate the value of NumSegments to control the behavior of the for-loop, potentially resulting in the exposure of sensitive information.

Discussion

  • Mathieu Malaterre

    Mathieu Malaterre - 2026-01-07
    • summary: CVE-2025-2214 --> CVE-2025-48429
     

  • Emmanuel Arias

    Emmanuel Arias - 2026-03-26

    Hi! sorry for bother you. Do you have a plan to fix these CVE-*?

    Thanks

     

  • Bradley Lowekamp

    Bradley Lowekamp - 2026-04-13

    This appears to have been addredded in commit: 0393310f8bb27c3bec8b67c6bfb18f71f6a15bb8

     

  • Emmanuel Arias

    Emmanuel Arias - 2026-04-14

    Reading the patch, seems to be related to the CVE but, commit message didn't confirm it.

     

Log in to post a comment.

MongoDB Logo MongoDB