Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with Content-Encoding: gzip. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.
AnalysisAI
Memory exhaustion in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to trigger denial-of-service via gzip decompression bombs in HTTP requests. Attackers send maliciously crafted gzip-compressed payloads with inflated decompression metadata, forcing the server to allocate unbounded memory and crash. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis. CVSS 7.5 reflects network-reachable, low-complexity attack requiring no authentication, but impact limited to availability only.
Technical ContextAI
Orthanc is an open-source DICOM server for medical imaging workflows. This vulnerability affects the HTTP request handling layer when processing Content-Encoding: gzip headers. Classic decompression bomb attacks exploit algorithmic complexity by embedding highly compressible data (e.g., long runs of zeros) that expand dramatically upon decompression. Without implementing decompression ratio limits or memory caps, the server allocates memory proportional to the attacker-declared uncompressed size in gzip metadata. The CPE identifier cpe:2.3:a:orthanc:dicom_server indicates all versions through 1.12.10 are affected. While no CWE is formally assigned, this aligns with CWE-409 (Improper Handling of Highly Compressed Data) and CWE-770 (Allocation of Resources Without Limits or Throttling). Medical imaging environments often expose DICOM servers to network access for radiology workflows, increasing attack surface.
RemediationAI
No vendor-released patch identified at time of analysis based on available advisory data. Organizations should monitor the official Orthanc repository (https://www.orthanc-server.com/) and CERT/CC VU#536588 (https://kb.cert.org/vuls/id/536588) for forthcoming patches addressing decompression limits. Interim mitigations include deploying reverse proxies or web application firewalls configured to reject or limit gzip-encoded requests, restricting network access to trusted DICOM workstations via firewall rules, and implementing resource quotas at the container or VM layer to prevent full memory exhaustion. For internet-facing deployments, immediately apply network segmentation to isolate DICOM services from untrusted networks until patches are available. Review Orthanc server logs for unusual patterns of gzip-encoded POST/PUT requests from unexpected source IPs as potential reconnaissance activity.
More in Dicom Server
View allHeap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows unauthenticated remote code execution via malfor
Heap buffer overflow in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to achieve arbitrary code
Out-of-bounds heap read in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to extract heap memory
Memory exhaustion in Orthanc DICOM Server versions up to 1.12.10 allows remote unauthenticated attackers to crash the se
Memory exhaustion in Orthanc DICOM Server versions ≤1.12.10 allows remote attackers to trigger denial of service by uplo
Out-of-bounds read in Orthanc DICOM Server's DicomStreamReader allows remote unauthenticated attackers to trigger denial
Heap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows local attackers to corrupt data or crash the ser
Out-of-bounds read in Orthanc DICOM Server's Philips PMSCT_RLE1 decompression allows local attackers to leak heap memory
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20914
GHSA-7vj5-pm38-6wjv