CVE-2025-31946 Pixmeo CVE debrief

Who should care

Organizations running Pixmeo OsiriX MD, especially medical imaging teams, endpoint administrators, and security teams responsible for systems that can import DICOM files. Workstations used in clinical environments should be prioritized because the impact is on availability and memory safety.

Technical summary

The supplied CSAF advisory describes a local use-after-free in OsiriX MD. The attack scenario is a crafted DICOM file imported locally, which can lead to memory corruption or a system crash. The provided CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, with a score of 6.2 (Medium).

Defensive priority

Medium. Patch promptly on any workstation running OsiriX MD, with extra attention on systems that handle untrusted or externally supplied DICOM files because the likely impact is crash and memory corruption rather than data exposure.

Recommended defensive actions

• Install the latest version of OsiriX MD from Pixmeo as directed in the vendor remediation.
• Inventory all systems running OsiriX MD and confirm which ones process imported DICOM files.
• Treat externally sourced DICOM files as untrusted and limit import workflows to trusted operators and managed systems.
• Monitor affected workstations for unexpected crashes or memory-corruption symptoms until updated.
• Use CISA ICS recommended practices and general defense-in-depth guidance for medical imaging endpoints.

Evidence notes

All claims are derived from the supplied CISA CSAF source item and its listed references. The advisory text states the product is vulnerable to a local use-after-free scenario that may be triggered by locally importing a crafted DICOM file, causing memory corruption or a system crash. The source item also includes a vendor remediation to download the latest version of OsiriX MD. No KEV entry is present in the supplied corpus.

Official resources