Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.
AnalysisAI
Memory exhaustion in Orthanc DICOM Server versions ≤1.12.10 allows remote attackers to trigger denial of service by uploading specially crafted ZIP archives with forged uncompressed size metadata. The server allocates excessive memory buffers based on untrusted size fields during automatic extraction, enabling resource exhaustion attacks without authentication (CVSS:3.1 AV:N/AC:L/PR:N). EPSS probability of 0.02% (4th percentile) indicates low likelihood of imminent exploitation, with no public exploit identified at time of analysis.
Technical ContextAI
Orthanc is an open-source DICOM (Digital Imaging and Communications in Medicine) server commonly deployed in medical imaging environments for managing radiology studies and healthcare image archives. The vulnerability affects the ZIP archive processing module that automatically extracts uploaded archives at specific server endpoints. The flaw stems from trusting client-supplied metadata in ZIP file headers, specifically the uncompressed size field specified in the central directory or local file headers. When processing a maliciously crafted ZIP archive, the server reads the declared uncompressed size and pre-allocates memory buffers of that size before actual decompression. An attacker can embed arbitrarily large size values (e.g., claiming gigabytes of uncompressed data) in a small compressed file (potentially just kilobytes), triggering allocation of massive memory regions that exhaust available system resources. This represents a classic resource management vulnerability where untrusted input controls memory allocation decisions without validation against actual compressed data size or system resource constraints.
RemediationAI
Organizations should upgrade Orthanc DICOM Server to version 1.12.11 or later when released, as the affected version range ends at 1.12.10. Monitor the official Orthanc security advisories at https://www.orthanc-server.com/ and CERT/CC Vulnerability Note VU#536588 at https://kb.cert.org/vuls/id/536588 for patch availability announcements. As interim mitigation measures, restrict network access to ZIP upload endpoints using firewall rules or web application firewall policies to limit exposure to trusted IP ranges only. Implement reverse proxy configurations with strict request size limits to prevent processing of oversized ZIP archives. Consider disabling automatic ZIP extraction functionality if not operationally required, or configure resource limits (memory caps, process resource limits via cgroups/ulimit) on the Orthanc service to prevent complete system resource exhaustion. Monitor system memory utilization for anomalous spikes that may indicate exploitation attempts. In healthcare environments, ensure redundant Orthanc instances are deployed to maintain imaging service availability during potential attack scenarios.
More in Dicom Server
View allHeap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows unauthenticated remote code execution via malfor
Heap buffer overflow in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to achieve arbitrary code
Out-of-bounds heap read in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to extract heap memory
Memory exhaustion in Orthanc DICOM Server versions up to 1.12.10 allows remote unauthenticated attackers to crash the se
Memory exhaustion in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to trigger denial-of-service
Out-of-bounds read in Orthanc DICOM Server's DicomStreamReader allows remote unauthenticated attackers to trigger denial
Heap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows local attackers to corrupt data or crash the ser
Out-of-bounds read in Orthanc DICOM Server's Philips PMSCT_RLE1 decompression allows local attackers to leak heap memory
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20916
GHSA-6cmv-pvcc-pf5h