Skip to main content

Dicom Server CVE-2026-5439

| EUVDEUVD-2026-20916 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-09 certcc GHSA-6cmv-pvcc-pf5h
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 17:23 vuln.today
CVSS changed
Apr 14, 2026 - 17:22 NVD
7.5 (HIGH)
EUVD ID Assigned
Apr 09, 2026 - 15:00 euvd
EUVD-2026-20916
CVE Published
Apr 09, 2026 - 14:44 nvd
N/A

DescriptionCVE.org

A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.

AnalysisAI

Memory exhaustion in Orthanc DICOM Server versions ≤1.12.10 allows remote attackers to trigger denial of service by uploading specially crafted ZIP archives with forged uncompressed size metadata. The server allocates excessive memory buffers based on untrusted size fields during automatic extraction, enabling resource exhaustion attacks without authentication (CVSS:3.1 AV:N/AC:L/PR:N). EPSS probability of 0.02% (4th percentile) indicates low likelihood of imminent exploitation, with no public exploit identified at time of analysis.

Technical ContextAI

Orthanc is an open-source DICOM (Digital Imaging and Communications in Medicine) server commonly deployed in medical imaging environments for managing radiology studies and healthcare image archives. The vulnerability affects the ZIP archive processing module that automatically extracts uploaded archives at specific server endpoints. The flaw stems from trusting client-supplied metadata in ZIP file headers, specifically the uncompressed size field specified in the central directory or local file headers. When processing a maliciously crafted ZIP archive, the server reads the declared uncompressed size and pre-allocates memory buffers of that size before actual decompression. An attacker can embed arbitrarily large size values (e.g., claiming gigabytes of uncompressed data) in a small compressed file (potentially just kilobytes), triggering allocation of massive memory regions that exhaust available system resources. This represents a classic resource management vulnerability where untrusted input controls memory allocation decisions without validation against actual compressed data size or system resource constraints.

RemediationAI

Organizations should upgrade Orthanc DICOM Server to version 1.12.11 or later when released, as the affected version range ends at 1.12.10. Monitor the official Orthanc security advisories at https://www.orthanc-server.com/ and CERT/CC Vulnerability Note VU#536588 at https://kb.cert.org/vuls/id/536588 for patch availability announcements. As interim mitigation measures, restrict network access to ZIP upload endpoints using firewall rules or web application firewall policies to limit exposure to trusted IP ranges only. Implement reverse proxy configurations with strict request size limits to prevent processing of oversized ZIP archives. Consider disabling automatic ZIP extraction functionality if not operationally required, or configure resource limits (memory caps, process resource limits via cgroups/ulimit) on the Orthanc service to prevent complete system resource exhaustion. Monitor system memory utilization for anomalous spikes that may indicate exploitation attempts. In healthcare environments, ensure redundant Orthanc instances are deployed to maintain imaging service availability during potential attack scenarios.

Share

CVE-2026-5439 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy