Search
Find a vulnerability
Search criteria
20 vulnerabilities found for DICOM Server by Orthanc
CVE-2026-10528 (GCVE-0-2026-10528)
Vulnerability from nvd – Published: 2026-06-02 00:00 – Updated: 2026-06-02 12:23
VLAI
Title
Orthanc DICOM Server DCMTK FromDcmtkBridge.cpp read stack-based overflow
Summary
A security flaw has been discovered in Orthanc DICOM Server up to 1.12.11. This issue affects the function DcmItem::read of the file OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp of the component DCMTK Parser. Performing a manipulation results in stack-based buffer overflow. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The patch is named bae99026ca97. To fix this issue, it is recommended to deploy a patch.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367636 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367636/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10528 | third-party-advisory |
| https://vuldb.com/submit/820766 | third-party-advisory |
| https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=258 | issue-tracking |
| https://orthanc.uclouvain.be/bugs/show_bug.cgi?id… | issue-tracking |
| https://orthanc.uclouvain.be/bugs/attachment.cgi?id=150 | exploit |
| https://orthanc.uclouvain.be/hg/orthanc/rev/bae99… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
1.12.0
Affected: 1.12.1 Affected: 1.12.2 Affected: 1.12.3 Affected: 1.12.4 Affected: 1.12.5 Affected: 1.12.6 Affected: 1.12.7 Affected: 1.12.8 Affected: 1.12.9 Affected: 1.12.10 Affected: 1.12.11 cpe:2.3:a:orthanc:dicom_server:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10528",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T12:23:23.238834Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T12:23:36.816Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:orthanc:dicom_server:*:*:*:*:*:*:*:*"
],
"modules": [
"DCMTK Parser"
],
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"status": "affected",
"version": "1.12.0"
},
{
"status": "affected",
"version": "1.12.1"
},
{
"status": "affected",
"version": "1.12.2"
},
{
"status": "affected",
"version": "1.12.3"
},
{
"status": "affected",
"version": "1.12.4"
},
{
"status": "affected",
"version": "1.12.5"
},
{
"status": "affected",
"version": "1.12.6"
},
{
"status": "affected",
"version": "1.12.7"
},
{
"status": "affected",
"version": "1.12.8"
},
{
"status": "affected",
"version": "1.12.9"
},
{
"status": "affected",
"version": "1.12.10"
},
{
"status": "affected",
"version": "1.12.11"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "dapickle (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in Orthanc DICOM Server up to 1.12.11. This issue affects the function DcmItem::read of the file OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp of the component DCMTK Parser. Performing a manipulation results in stack-based buffer overflow. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The patch is named bae99026ca97. To fix this issue, it is recommended to deploy a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T00:00:17.171Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367636 | Orthanc DICOM Server DCMTK FromDcmtkBridge.cpp read stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367636"
},
{
"name": "VDB-367636 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367636/cti"
},
{
"name": "CVE-2026-10528 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10528"
},
{
"name": "Submit #820766 | orthanc orthanc core \u2264 1.12.11 Denial of Service",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/820766"
},
{
"tags": [
"issue-tracking"
],
"url": "https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=258"
},
{
"tags": [
"issue-tracking"
],
"url": "https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=258#c4"
},
{
"tags": [
"exploit"
],
"url": "https://orthanc.uclouvain.be/bugs/attachment.cgi?id=150"
},
{
"tags": [
"patch"
],
"url": "https://orthanc.uclouvain.be/hg/orthanc/rev/bae99026ca97"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-01T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-01T12:27:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "Orthanc DICOM Server DCMTK FromDcmtkBridge.cpp read stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10528",
"datePublished": "2026-06-02T00:00:17.171Z",
"dateReserved": "2026-06-01T10:22:24.098Z",
"dateUpdated": "2026-06-02T12:23:36.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5445 (GCVE-0-2026-5445)
Vulnerability from nvd – Published: 2026-04-09 14:42 – Updated: 2026-04-14 16:34
VLAI
Title
Out-of-Bounds Read in DicomImageDecoder (DecodeLookupTable)
Summary
An out-of-bounds read vulnerability exists in the `DecodeLookupTable` function within `DicomImageDecoder.cpp`. The lookup-table decoding logic used for `PALETTE COLOR` images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size cause the decoder to read beyond allocated lookup table memory and expose heap contents in the output image.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
0 , ≤ 1.12.10
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5445",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:08:58.289132Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:34:52.024Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An out-of-bounds read vulnerability exists in the `DecodeLookupTable` function within `DicomImageDecoder.cpp`. The lookup-table decoding logic used for `PALETTE COLOR` images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size cause the decoder to read beyond allocated lookup table memory and expose heap contents in the output image."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-125 Out-of-bounds Read",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:42:51.673Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.orthanc-server.com/"
},
{
"url": "https://www.machinespirits.de/"
},
{
"url": "https://kb.cert.org/vuls/id/536588"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Out-of-Bounds Read in DicomImageDecoder (DecodeLookupTable)",
"x_generator": {
"engine": "VINCE 3.0.35",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5445"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5445",
"datePublished": "2026-04-09T14:42:51.673Z",
"dateReserved": "2026-04-02T19:23:30.637Z",
"dateUpdated": "2026-04-14T16:34:52.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5444 (GCVE-0-2026-5444)
Vulnerability from nvd – Published: 2026-04-09 14:42 – Updated: 2026-04-14 16:34
VLAI
Title
Heap Buffer Overflow in PAM Image Buffer Allocation
Summary
A heap buffer overflow vulnerability exists in the PAM image parsing logic. When Orthanc processes a crafted PAM image embedded in a DICOM file, image dimensions are multiplied using 32-bit unsigned arithmetic. Specially chosen values can cause an integer overflow during buffer size calculation, resulting in the allocation of a small buffer followed by a much larger write operation during pixel processing.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
0 , ≤ 1.12.10
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5444",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:08:02.200164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:34:57.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A heap buffer overflow vulnerability exists in the PAM image parsing logic. When Orthanc processes a crafted PAM image embedded in a DICOM file, image dimensions are multiplied using 32-bit unsigned arithmetic. Specially chosen values can cause an integer overflow during buffer size calculation, resulting in the allocation of a small buffer followed by a much larger write operation during pixel processing."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:42:30.696Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.orthanc-server.com/"
},
{
"url": "https://www.machinespirits.de/"
},
{
"url": "https://kb.cert.org/vuls/id/536588"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Heap Buffer Overflow in PAM Image Buffer Allocation",
"x_generator": {
"engine": "VINCE 3.0.35",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5444"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5444",
"datePublished": "2026-04-09T14:42:30.696Z",
"dateReserved": "2026-04-02T19:23:20.072Z",
"dateUpdated": "2026-04-14T16:34:57.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5443 (GCVE-0-2026-5443)
Vulnerability from nvd – Published: 2026-04-09 14:43 – Updated: 2026-04-14 16:34
VLAI
Title
Heap Buffer Overflow in DICOM Image Decoder (Palette Color Decode)
Summary
A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images. Pixel length validation uses 32-bit multiplication for width and height calculations. If these values overflow, the validation check incorrectly succeeds, allowing the decoder to read and write to memory beyond allocated buffers.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
0 , ≤ 1.12.10
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5443",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:10:56.990073Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:34:45.930Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images. Pixel length validation uses 32-bit multiplication for width and height calculations. If these values overflow, the validation check incorrectly succeeds, allowing the decoder to read and write to memory beyond allocated buffers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:43:15.227Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.orthanc-server.com/"
},
{
"url": "https://www.machinespirits.de/"
},
{
"url": "https://kb.cert.org/vuls/id/536588"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Heap Buffer Overflow in DICOM Image Decoder (Palette Color Decode)",
"x_generator": {
"engine": "VINCE 3.0.35",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5443"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5443",
"datePublished": "2026-04-09T14:43:15.227Z",
"dateReserved": "2026-04-02T19:23:06.757Z",
"dateUpdated": "2026-04-14T16:34:45.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5442 (GCVE-0-2026-5442)
Vulnerability from nvd – Published: 2026-04-09 14:43 – Updated: 2026-04-14 16:34
VLAI
Title
Heap Buffer Overflow in DICOM Image Decoder via VR UL Dimensions
Summary
A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
0 , ≤ 1.12.10
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5442",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:12:07.779154Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:34:39.322Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:43:43.571Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.orthanc-server.com/"
},
{
"url": "https://www.machinespirits.de/"
},
{
"url": "https://kb.cert.org/vuls/id/536588"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Heap Buffer Overflow in DICOM Image Decoder via VR UL Dimensions",
"x_generator": {
"engine": "VINCE 3.0.35",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5442"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5442",
"datePublished": "2026-04-09T14:43:43.571Z",
"dateReserved": "2026-04-02T19:22:48.196Z",
"dateUpdated": "2026-04-14T16:34:39.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5441 (GCVE-0-2026-5441)
Vulnerability from nvd – Published: 2026-04-09 14:42 – Updated: 2026-04-14 16:35
VLAI
Title
Out-of-Bounds Read in DicomImageDecoder (PMSCT_RLE1 Decompression)
Summary
An out-of-bounds read vulnerability exists in the `DecodePsmctRle1` function of `DicomImageDecoder.cpp`. The `PMSCT_RLE1` decompression routine, which decodes the proprietary Philips Compression format, does not properly validate escape markers placed near the end of the compressed data stream. A crafted sequence at the end of the buffer can cause the decoder to read beyond the allocated memory region and leak heap data into the rendered image output.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
0 , ≤ 1.12.10
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5441",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:07:23.792857Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:35:04.748Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An out-of-bounds read vulnerability exists in the `DecodePsmctRle1` function of `DicomImageDecoder.cpp`. The `PMSCT_RLE1` decompression routine, which decodes the proprietary Philips Compression format, does not properly validate escape markers placed near the end of the compressed data stream. A crafted sequence at the end of the buffer can cause the decoder to read beyond the allocated memory region and leak heap data into the rendered image output."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-125 Out-of-bounds Read",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:42:04.597Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.orthanc-server.com/"
},
{
"url": "https://www.machinespirits.de/"
},
{
"url": "https://kb.cert.org/vuls/id/536588"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Out-of-Bounds Read in DicomImageDecoder (PMSCT_RLE1 Decompression)",
"x_generator": {
"engine": "VINCE 3.0.35",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5441"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5441",
"datePublished": "2026-04-09T14:42:04.597Z",
"dateReserved": "2026-04-02T19:22:35.863Z",
"dateUpdated": "2026-04-14T16:35:04.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5440 (GCVE-0-2026-5440)
Vulnerability from nvd – Published: 2026-04-09 14:43 – Updated: 2026-04-14 16:34
VLAI
Title
Memory Exhaustion via Unbounded Content-Length
Summary
A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
0 , ≤ 1.12.10
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5440",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:12:48.721931Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:34:31.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:43:55.684Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.orthanc-server.com/"
},
{
"url": "https://www.machinespirits.de/"
},
{
"url": "https://kb.cert.org/vuls/id/536588"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Memory Exhaustion via Unbounded Content-Length",
"x_generator": {
"engine": "VINCE 3.0.35",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5440"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5440",
"datePublished": "2026-04-09T14:43:55.684Z",
"dateReserved": "2026-04-02T19:22:26.410Z",
"dateUpdated": "2026-04-14T16:34:31.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5439 (GCVE-0-2026-5439)
Vulnerability from nvd – Published: 2026-04-09 14:44 – Updated: 2026-04-14 16:34
VLAI
Title
Memory Exhaustion via Forged ZIP Metadata
Summary
A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
0 , ≤ 1.12.10
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5439",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:15:14.226462Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:34:14.439Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:44:37.078Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.orthanc-server.com/"
},
{
"url": "https://www.machinespirits.de/"
},
{
"url": "https://kb.cert.org/vuls/id/536588"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Memory Exhaustion via Forged ZIP Metadata",
"x_generator": {
"engine": "VINCE 3.0.35",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5439"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5439",
"datePublished": "2026-04-09T14:44:37.078Z",
"dateReserved": "2026-04-02T19:22:13.583Z",
"dateUpdated": "2026-04-14T16:34:14.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5438 (GCVE-0-2026-5438)
Vulnerability from nvd – Published: 2026-04-09 14:44 – Updated: 2026-04-14 16:34
VLAI
Title
Gzip Decompression Bomb via Content-Encoding Header
Summary
A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
0 , ≤ 1.12.10
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5438",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:13:20.018057Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:34:26.623Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:44:05.375Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.orthanc-server.com/"
},
{
"url": "https://www.machinespirits.de/"
},
{
"url": "https://kb.cert.org/vuls/id/536588"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Gzip Decompression Bomb via Content-Encoding Header",
"x_generator": {
"engine": "VINCE 3.0.35",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5438"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5438",
"datePublished": "2026-04-09T14:44:05.375Z",
"dateReserved": "2026-04-02T19:21:58.543Z",
"dateUpdated": "2026-04-14T16:34:26.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5437 (GCVE-0-2026-5437)
Vulnerability from nvd – Published: 2026-04-09 14:44 – Updated: 2026-04-14 16:34
VLAI
Title
Out-of-Bounds Read in DicomStreamReader
Summary
An out-of-bounds read vulnerability exists in `DicomStreamReader` during DICOM meta-header parsing. When processing malformed metadata structures, the parser may read beyond the bounds of the allocated metadata buffer. Although this issue does not typically crash the server or expose data directly to the attacker, it reflects insufficient input validation in the parsing logic.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
0 , ≤ 1.12.10
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5437",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:14:39.947635Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:34:20.487Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An out-of-bounds read vulnerability exists in `DicomStreamReader` during DICOM meta-header parsing. When processing malformed metadata structures, the parser may read beyond the bounds of the allocated metadata buffer. Although this issue does not typically crash the server or expose data directly to the attacker, it reflects insufficient input validation in the parsing logic."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-125 Out-of-bounds Read",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:44:17.972Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.orthanc-server.com/"
},
{
"url": "https://www.machinespirits.de/"
},
{
"url": "https://kb.cert.org/vuls/id/536588"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Out-of-Bounds Read in DicomStreamReader",
"x_generator": {
"engine": "VINCE 3.0.35",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5437"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5437",
"datePublished": "2026-04-09T14:44:17.972Z",
"dateReserved": "2026-04-02T19:21:45.325Z",
"dateUpdated": "2026-04-14T16:34:20.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10528 (GCVE-0-2026-10528)
Vulnerability from cvelistv5 – Published: 2026-06-02 00:00 – Updated: 2026-06-02 12:23
VLAI
Title
Orthanc DICOM Server DCMTK FromDcmtkBridge.cpp read stack-based overflow
Summary
A security flaw has been discovered in Orthanc DICOM Server up to 1.12.11. This issue affects the function DcmItem::read of the file OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp of the component DCMTK Parser. Performing a manipulation results in stack-based buffer overflow. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The patch is named bae99026ca97. To fix this issue, it is recommended to deploy a patch.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367636 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367636/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10528 | third-party-advisory |
| https://vuldb.com/submit/820766 | third-party-advisory |
| https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=258 | issue-tracking |
| https://orthanc.uclouvain.be/bugs/show_bug.cgi?id… | issue-tracking |
| https://orthanc.uclouvain.be/bugs/attachment.cgi?id=150 | exploit |
| https://orthanc.uclouvain.be/hg/orthanc/rev/bae99… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
1.12.0
Affected: 1.12.1 Affected: 1.12.2 Affected: 1.12.3 Affected: 1.12.4 Affected: 1.12.5 Affected: 1.12.6 Affected: 1.12.7 Affected: 1.12.8 Affected: 1.12.9 Affected: 1.12.10 Affected: 1.12.11 cpe:2.3:a:orthanc:dicom_server:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10528",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T12:23:23.238834Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T12:23:36.816Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:orthanc:dicom_server:*:*:*:*:*:*:*:*"
],
"modules": [
"DCMTK Parser"
],
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"status": "affected",
"version": "1.12.0"
},
{
"status": "affected",
"version": "1.12.1"
},
{
"status": "affected",
"version": "1.12.2"
},
{
"status": "affected",
"version": "1.12.3"
},
{
"status": "affected",
"version": "1.12.4"
},
{
"status": "affected",
"version": "1.12.5"
},
{
"status": "affected",
"version": "1.12.6"
},
{
"status": "affected",
"version": "1.12.7"
},
{
"status": "affected",
"version": "1.12.8"
},
{
"status": "affected",
"version": "1.12.9"
},
{
"status": "affected",
"version": "1.12.10"
},
{
"status": "affected",
"version": "1.12.11"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "dapickle (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in Orthanc DICOM Server up to 1.12.11. This issue affects the function DcmItem::read of the file OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp of the component DCMTK Parser. Performing a manipulation results in stack-based buffer overflow. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The patch is named bae99026ca97. To fix this issue, it is recommended to deploy a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T00:00:17.171Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367636 | Orthanc DICOM Server DCMTK FromDcmtkBridge.cpp read stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367636"
},
{
"name": "VDB-367636 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367636/cti"
},
{
"name": "CVE-2026-10528 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10528"
},
{
"name": "Submit #820766 | orthanc orthanc core \u2264 1.12.11 Denial of Service",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/820766"
},
{
"tags": [
"issue-tracking"
],
"url": "https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=258"
},
{
"tags": [
"issue-tracking"
],
"url": "https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=258#c4"
},
{
"tags": [
"exploit"
],
"url": "https://orthanc.uclouvain.be/bugs/attachment.cgi?id=150"
},
{
"tags": [
"patch"
],
"url": "https://orthanc.uclouvain.be/hg/orthanc/rev/bae99026ca97"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-01T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-01T12:27:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "Orthanc DICOM Server DCMTK FromDcmtkBridge.cpp read stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10528",
"datePublished": "2026-06-02T00:00:17.171Z",
"dateReserved": "2026-06-01T10:22:24.098Z",
"dateUpdated": "2026-06-02T12:23:36.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5439 (GCVE-0-2026-5439)
Vulnerability from cvelistv5 – Published: 2026-04-09 14:44 – Updated: 2026-04-14 16:34
VLAI
Title
Memory Exhaustion via Forged ZIP Metadata
Summary
A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
0 , ≤ 1.12.10
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5439",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:15:14.226462Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:34:14.439Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:44:37.078Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.orthanc-server.com/"
},
{
"url": "https://www.machinespirits.de/"
},
{
"url": "https://kb.cert.org/vuls/id/536588"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Memory Exhaustion via Forged ZIP Metadata",
"x_generator": {
"engine": "VINCE 3.0.35",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5439"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5439",
"datePublished": "2026-04-09T14:44:37.078Z",
"dateReserved": "2026-04-02T19:22:13.583Z",
"dateUpdated": "2026-04-14T16:34:14.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5437 (GCVE-0-2026-5437)
Vulnerability from cvelistv5 – Published: 2026-04-09 14:44 – Updated: 2026-04-14 16:34
VLAI
Title
Out-of-Bounds Read in DicomStreamReader
Summary
An out-of-bounds read vulnerability exists in `DicomStreamReader` during DICOM meta-header parsing. When processing malformed metadata structures, the parser may read beyond the bounds of the allocated metadata buffer. Although this issue does not typically crash the server or expose data directly to the attacker, it reflects insufficient input validation in the parsing logic.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
0 , ≤ 1.12.10
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5437",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:14:39.947635Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:34:20.487Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An out-of-bounds read vulnerability exists in `DicomStreamReader` during DICOM meta-header parsing. When processing malformed metadata structures, the parser may read beyond the bounds of the allocated metadata buffer. Although this issue does not typically crash the server or expose data directly to the attacker, it reflects insufficient input validation in the parsing logic."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-125 Out-of-bounds Read",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:44:17.972Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.orthanc-server.com/"
},
{
"url": "https://www.machinespirits.de/"
},
{
"url": "https://kb.cert.org/vuls/id/536588"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Out-of-Bounds Read in DicomStreamReader",
"x_generator": {
"engine": "VINCE 3.0.35",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5437"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5437",
"datePublished": "2026-04-09T14:44:17.972Z",
"dateReserved": "2026-04-02T19:21:45.325Z",
"dateUpdated": "2026-04-14T16:34:20.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5438 (GCVE-0-2026-5438)
Vulnerability from cvelistv5 – Published: 2026-04-09 14:44 – Updated: 2026-04-14 16:34
VLAI
Title
Gzip Decompression Bomb via Content-Encoding Header
Summary
A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
0 , ≤ 1.12.10
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5438",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:13:20.018057Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:34:26.623Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:44:05.375Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.orthanc-server.com/"
},
{
"url": "https://www.machinespirits.de/"
},
{
"url": "https://kb.cert.org/vuls/id/536588"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Gzip Decompression Bomb via Content-Encoding Header",
"x_generator": {
"engine": "VINCE 3.0.35",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5438"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5438",
"datePublished": "2026-04-09T14:44:05.375Z",
"dateReserved": "2026-04-02T19:21:58.543Z",
"dateUpdated": "2026-04-14T16:34:26.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5440 (GCVE-0-2026-5440)
Vulnerability from cvelistv5 – Published: 2026-04-09 14:43 – Updated: 2026-04-14 16:34
VLAI
Title
Memory Exhaustion via Unbounded Content-Length
Summary
A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
0 , ≤ 1.12.10
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5440",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:12:48.721931Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:34:31.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:43:55.684Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.orthanc-server.com/"
},
{
"url": "https://www.machinespirits.de/"
},
{
"url": "https://kb.cert.org/vuls/id/536588"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Memory Exhaustion via Unbounded Content-Length",
"x_generator": {
"engine": "VINCE 3.0.35",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5440"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5440",
"datePublished": "2026-04-09T14:43:55.684Z",
"dateReserved": "2026-04-02T19:22:26.410Z",
"dateUpdated": "2026-04-14T16:34:31.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5442 (GCVE-0-2026-5442)
Vulnerability from cvelistv5 – Published: 2026-04-09 14:43 – Updated: 2026-04-14 16:34
VLAI
Title
Heap Buffer Overflow in DICOM Image Decoder via VR UL Dimensions
Summary
A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
0 , ≤ 1.12.10
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5442",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:12:07.779154Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:34:39.322Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:43:43.571Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.orthanc-server.com/"
},
{
"url": "https://www.machinespirits.de/"
},
{
"url": "https://kb.cert.org/vuls/id/536588"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Heap Buffer Overflow in DICOM Image Decoder via VR UL Dimensions",
"x_generator": {
"engine": "VINCE 3.0.35",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5442"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5442",
"datePublished": "2026-04-09T14:43:43.571Z",
"dateReserved": "2026-04-02T19:22:48.196Z",
"dateUpdated": "2026-04-14T16:34:39.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5443 (GCVE-0-2026-5443)
Vulnerability from cvelistv5 – Published: 2026-04-09 14:43 – Updated: 2026-04-14 16:34
VLAI
Title
Heap Buffer Overflow in DICOM Image Decoder (Palette Color Decode)
Summary
A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images. Pixel length validation uses 32-bit multiplication for width and height calculations. If these values overflow, the validation check incorrectly succeeds, allowing the decoder to read and write to memory beyond allocated buffers.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
0 , ≤ 1.12.10
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5443",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:10:56.990073Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:34:45.930Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images. Pixel length validation uses 32-bit multiplication for width and height calculations. If these values overflow, the validation check incorrectly succeeds, allowing the decoder to read and write to memory beyond allocated buffers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:43:15.227Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.orthanc-server.com/"
},
{
"url": "https://www.machinespirits.de/"
},
{
"url": "https://kb.cert.org/vuls/id/536588"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Heap Buffer Overflow in DICOM Image Decoder (Palette Color Decode)",
"x_generator": {
"engine": "VINCE 3.0.35",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5443"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5443",
"datePublished": "2026-04-09T14:43:15.227Z",
"dateReserved": "2026-04-02T19:23:06.757Z",
"dateUpdated": "2026-04-14T16:34:45.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5445 (GCVE-0-2026-5445)
Vulnerability from cvelistv5 – Published: 2026-04-09 14:42 – Updated: 2026-04-14 16:34
VLAI
Title
Out-of-Bounds Read in DicomImageDecoder (DecodeLookupTable)
Summary
An out-of-bounds read vulnerability exists in the `DecodeLookupTable` function within `DicomImageDecoder.cpp`. The lookup-table decoding logic used for `PALETTE COLOR` images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size cause the decoder to read beyond allocated lookup table memory and expose heap contents in the output image.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
0 , ≤ 1.12.10
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5445",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:08:58.289132Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:34:52.024Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An out-of-bounds read vulnerability exists in the `DecodeLookupTable` function within `DicomImageDecoder.cpp`. The lookup-table decoding logic used for `PALETTE COLOR` images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size cause the decoder to read beyond allocated lookup table memory and expose heap contents in the output image."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-125 Out-of-bounds Read",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:42:51.673Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.orthanc-server.com/"
},
{
"url": "https://www.machinespirits.de/"
},
{
"url": "https://kb.cert.org/vuls/id/536588"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Out-of-Bounds Read in DicomImageDecoder (DecodeLookupTable)",
"x_generator": {
"engine": "VINCE 3.0.35",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5445"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5445",
"datePublished": "2026-04-09T14:42:51.673Z",
"dateReserved": "2026-04-02T19:23:30.637Z",
"dateUpdated": "2026-04-14T16:34:52.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5444 (GCVE-0-2026-5444)
Vulnerability from cvelistv5 – Published: 2026-04-09 14:42 – Updated: 2026-04-14 16:34
VLAI
Title
Heap Buffer Overflow in PAM Image Buffer Allocation
Summary
A heap buffer overflow vulnerability exists in the PAM image parsing logic. When Orthanc processes a crafted PAM image embedded in a DICOM file, image dimensions are multiplied using 32-bit unsigned arithmetic. Specially chosen values can cause an integer overflow during buffer size calculation, resulting in the allocation of a small buffer followed by a much larger write operation during pixel processing.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
0 , ≤ 1.12.10
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5444",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:08:02.200164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:34:57.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A heap buffer overflow vulnerability exists in the PAM image parsing logic. When Orthanc processes a crafted PAM image embedded in a DICOM file, image dimensions are multiplied using 32-bit unsigned arithmetic. Specially chosen values can cause an integer overflow during buffer size calculation, resulting in the allocation of a small buffer followed by a much larger write operation during pixel processing."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:42:30.696Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.orthanc-server.com/"
},
{
"url": "https://www.machinespirits.de/"
},
{
"url": "https://kb.cert.org/vuls/id/536588"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Heap Buffer Overflow in PAM Image Buffer Allocation",
"x_generator": {
"engine": "VINCE 3.0.35",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5444"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5444",
"datePublished": "2026-04-09T14:42:30.696Z",
"dateReserved": "2026-04-02T19:23:20.072Z",
"dateUpdated": "2026-04-14T16:34:57.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5441 (GCVE-0-2026-5441)
Vulnerability from cvelistv5 – Published: 2026-04-09 14:42 – Updated: 2026-04-14 16:35
VLAI
Title
Out-of-Bounds Read in DicomImageDecoder (PMSCT_RLE1 Decompression)
Summary
An out-of-bounds read vulnerability exists in the `DecodePsmctRle1` function of `DicomImageDecoder.cpp`. The `PMSCT_RLE1` decompression routine, which decodes the proprietary Philips Compression format, does not properly validate escape markers placed near the end of the compressed data stream. A crafted sequence at the end of the buffer can cause the decoder to read beyond the allocated memory region and leak heap data into the rendered image output.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Orthanc | DICOM Server |
Affected:
0 , ≤ 1.12.10
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5441",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:07:23.792857Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:35:04.748Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DICOM Server",
"vendor": "Orthanc",
"versions": [
{
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An out-of-bounds read vulnerability exists in the `DecodePsmctRle1` function of `DicomImageDecoder.cpp`. The `PMSCT_RLE1` decompression routine, which decodes the proprietary Philips Compression format, does not properly validate escape markers placed near the end of the compressed data stream. A crafted sequence at the end of the buffer can cause the decoder to read beyond the allocated memory region and leak heap data into the rendered image output."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-125 Out-of-bounds Read",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:42:04.597Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.orthanc-server.com/"
},
{
"url": "https://www.machinespirits.de/"
},
{
"url": "https://kb.cert.org/vuls/id/536588"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Out-of-Bounds Read in DicomImageDecoder (PMSCT_RLE1 Decompression)",
"x_generator": {
"engine": "VINCE 3.0.35",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5441"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5441",
"datePublished": "2026-04-09T14:42:04.597Z",
"dateReserved": "2026-04-02T19:22:35.863Z",
"dateUpdated": "2026-04-14T16:35:04.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}