{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/536588#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nMultiple vulnerabilities have been identified in Orthanc DICOM Server version, 1.12.10 and earlier, that affect image decoding and HTTP request handling components. These vulnerabilities include heap buffer overflows, out-of-bounds reads, and resource exhaustion vulnerabilities that may allow attackers to crash the server, leak memory contents, or potentially execute arbitrary code. \r\n\r\n### Description\r\nOrthanc is an open-source lightweight Digital Imaging and Communications in Medicine (DICOM) server used to store, process, and retrieve medical imaging data in healthcare environments. The following nine vulnerabilities identified in Orthanc primarily stem from unsafe arithmetic operations, missing bounds checks, and insufficient validation of attacker-controlled metadata in DICOM files and HTTP requests.\r\n\r\n**CVE-2026-5437** An out-of-bounds read vulnerability exists in `DicomStreamReader` during DICOM meta-header parsing. When processing malformed metadata structures, the parser may read beyond the bounds of the allocated metadata buffer. Although this issue does not typically crash the server or expose data directly to the attacker, it reflects insufficient input validation in the parsing logic.\r\n\r\n**CVE-2026-5438** A gzip decompression bomb vulnerability exists when Orthanc processes an HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.\r\n\r\n**CVE-2026-5439** A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.\r\n\r\n**CVE-2026-5440** A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header.  The server allocates memory directly based on the attacker-supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large  `Content-Length` value, such as approximately 4 GB, can trigger excessive memory allocation and server termination, even without sending a request body.\r\n\r\n**CVE-2026-5441** An out-of-bounds read vulnerability exists in the `DecodePsmctRle1` function of `DicomImageDecoder.cpp`. The `PMSCT_RLE1` decompression routine, which decodes the proprietary Philips Compression format, does not properly validate escape markers placed near the end of the compressed data stream. A crafted sequence at the end of the buffer can cause the decoder to read beyond the allocated memory region and leak heap data into the rendered image output.\r\n\r\n**CVE-2026-5442** A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding.\r\n\r\n**CVE-2026-5443** A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images. Pixel length validation uses 32-bit multiplication for width and height calculations. If these values overflow, the validation check incorrectly succeeds, allowing the decoder to read and write to memory beyond allocated buffers.\r\n\r\n**CVE-2026-5444** A heap buffer overflow vulnerability exists in the PAM ( https://netpbm.sourceforge.net/doc/pam.html) image parsing logic. When Orthanc processes a crafted PAM image embedded in a DICOM file, image dimensions are multiplied using 32-bit unsigned arithmetic. Specially chosen values can cause an integer overflow during buffer size calculation, resulting in the allocation of a small buffer followed by a much larger write operation during pixel processing.\r\n\r\n**CVE-2026-5445** An out-of-bounds read vulnerability exists in the `DecodeLookupTable` function within `DicomImageDecoder.cpp`. The lookup-table decoding logic used for `PALETTE COLOR` images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size cause the decoder to read beyond allocated lookup table memory and expose heap contents in the output image.\r\n\r\n### Impact\r\nThe vulnerabilities in Orthan DICOM Server 1.20.10 allow attackers to trigger heap memory corruption, out-of-bounds read, information disclosure, and denial-of-service conditions through crafted DICOM files and HTTP requests. The most severe issues are heap-based buffer overflows in image parsing and decoding logic, which can crash the Orthanc process and may, under certain conditions, provide a pathway to remote code execution (RCE). Several additional flaws permit out-of-bounds reads that can expose heap-resident data, including allocator metadata, internal identifiers, points, and portions of adjacent DICOM content through rendered image output.\r\nIn addition, multiple vulnerabilities allow resource exhaustion by causing Orthanc to allocate excessive amounts of memory based on attacker-controlled metadata such as `Content-Length`, ZIP archive size fields, and gzip decompression size values. These conditions can reliably result in process termination and denial of service, often with only a small, crafted payload. Some of the affected code paths may also allow malicious DICOM content to be stored and later re-triggered during normal processing, increasing the persistence and operational impact of exploitation. \r\n\r\n### Solution\r\nOrthanc has released version 1.12.11 to address these vulnerabilities, and users are strongly encouraged to upgrade as soon as possible. Administrators should review deployment configurations to limit exposure of upload and image processing functionality to trusted users and networks wherever possible. Refer to Orthanc documentation and release notes for patching and deployment guidance.  \r\n\r\n### Acknowledgements\r\nThanks to Dr. Simon Weber and Volker Schönefeld of Machine Spirits UG (https://machinespirits.com) for the disclosure of these vulnerabilities. This document was written by Michael Bragg.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/536588"}],"title":"Multiple Heap Buffer Overflows in Orthanc DICOM Server","tracking":{"current_release_date":"2026-04-09T14:44:52+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#536588","initial_release_date":"2026-04-09 14:40:11.214512+00:00","revision_history":[{"date":"2026-04-09T14:44:52+00:00","number":"1.20260409144452.2","summary":"Released on 2026-04-09T14:44:52+00:00"}],"status":"final","version":"1.20260409144452.2"}},"vulnerabilities":[{"title":"A memory exhaustion vulnerability exists in ZIP archive processing.","notes":[{"category":"summary","text":"A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction."}],"cve":"CVE-2026-5439","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#536588"}],"product_status":{"known_affected":["CSAFPID-0ba5961e-345a-11f1-8422-122e2785dc9f"]}},{"title":"An out-of-bounds read vulnerability exists in `DicomStreamReader` during DICOM meta-header parsing.","notes":[{"category":"summary","text":"An out-of-bounds read vulnerability exists in `DicomStreamReader` during DICOM meta-header parsing. When processing malformed metadata structures, the parser may read beyond the bounds of the allocated metadata buffer. Although this issue does not typically crash the server or expose data directly to the attacker, it reflects insufficient input validation in the parsing logic."}],"cve":"CVE-2026-5437","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#536588"}],"product_status":{"known_affected":["CSAFPID-0ba606bc-345a-11f1-8422-122e2785dc9f"]}},{"title":"A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`.","notes":[{"category":"summary","text":"A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory."}],"cve":"CVE-2026-5438","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#536588"}],"product_status":{"known_affected":["CSAFPID-0ba65306-345a-11f1-8422-122e2785dc9f"]}},{"title":"A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header.","notes":[{"category":"summary","text":"A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header.  The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body."}],"cve":"CVE-2026-5440","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#536588"}],"product_status":{"known_affected":["CSAFPID-0ba6afea-345a-11f1-8422-122e2785dc9f"]}},{"title":"A heap buffer overflow vulnerability exists in the DICOM image decoder.","notes":[{"category":"summary","text":"A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding."}],"cve":"CVE-2026-5442","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#536588"}],"product_status":{"known_affected":["CSAFPID-0ba70648-345a-11f1-8422-122e2785dc9f"]}},{"title":"A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images.","notes":[{"category":"summary","text":"A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images. Pixel length validation uses 32-bit multiplication for width and height calculations. If these values overflow, the validation check incorrectly succeeds, allowing the decoder to read and write to memory beyond allocated buffers."}],"cve":"CVE-2026-5443","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#536588"}],"product_status":{"known_affected":["CSAFPID-0ba75aa8-345a-11f1-8422-122e2785dc9f"]}},{"title":"An out-of-bounds read vulnerability exists in the `DecodeLookupTable` function within `DicomImageDecoder.","notes":[{"category":"summary","text":"An out-of-bounds read vulnerability exists in the `DecodeLookupTable` function within `DicomImageDecoder.cpp`. The lookup-table decoding logic used for `PALETTE COLOR` images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size cause the decoder to read beyond allocated lookup table memory and expose heap contents in the output image."}],"cve":"CVE-2026-5445","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#536588"}],"product_status":{"known_affected":["CSAFPID-0ba7b9d0-345a-11f1-8422-122e2785dc9f"]}},{"title":"A heap buffer overflow vulnerability exists in the PAM image parsing logic.","notes":[{"category":"summary","text":"A heap buffer overflow vulnerability exists in the PAM image parsing logic. When Orthanc processes a crafted PAM image embedded in a DICOM file, image dimensions are multiplied using 32-bit unsigned arithmetic. Specially chosen values can cause an integer overflow during buffer size calculation, resulting in the allocation of a small buffer followed by a much larger write operation during pixel processing."}],"cve":"CVE-2026-5444","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#536588"}],"product_status":{"known_affected":["CSAFPID-0ba82820-345a-11f1-8422-122e2785dc9f"]}},{"title":"An out-of-bounds read vulnerability exists in the `DecodePsmctRle1` function of `DicomImageDecoder.","notes":[{"category":"summary","text":"An out-of-bounds read vulnerability exists in the `DecodePsmctRle1` function of `DicomImageDecoder.cpp`. The `PMSCT_RLE1` decompression routine, which decodes the proprietary Philips Compression format, does not properly validate escape markers placed near the end of the compressed data stream. A crafted sequence at the end of the buffer can cause the decoder to read beyond the allocated memory region and leak heap data into the rendered image output."}],"cve":"CVE-2026-5441","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#536588"}],"product_status":{"known_affected":["CSAFPID-0ba89a8a-345a-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Orthanc","product":{"name":"Orthanc Products","product_id":"CSAFPID-0ba5961e-345a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Orthanc","product":{"name":"Orthanc Products","product_id":"CSAFPID-0ba606bc-345a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Orthanc","product":{"name":"Orthanc Products","product_id":"CSAFPID-0ba65306-345a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Orthanc","product":{"name":"Orthanc Products","product_id":"CSAFPID-0ba6afea-345a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Orthanc","product":{"name":"Orthanc Products","product_id":"CSAFPID-0ba70648-345a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Orthanc","product":{"name":"Orthanc Products","product_id":"CSAFPID-0ba75aa8-345a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Orthanc","product":{"name":"Orthanc Products","product_id":"CSAFPID-0ba7b9d0-345a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Orthanc","product":{"name":"Orthanc Products","product_id":"CSAFPID-0ba82820-345a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Orthanc","product":{"name":"Orthanc Products","product_id":"CSAFPID-0ba89a8a-345a-11f1-8422-122e2785dc9f"}}]}}