Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the Content-Length header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large Content-Length value can trigger excessive memory allocation and server termination, even without sending a request body.
AnalysisAI
Memory exhaustion in Orthanc DICOM Server versions up to 1.12.10 allows remote unauthenticated attackers to crash the service by sending HTTP requests with excessively large Content-Length header values. The server allocates memory based on the header without validation, enabling denial-of-service without transmitting actual payload data. EPSS score of 0.02% (6th percentile) indicates low observed exploitation probability, and no active exploitation or public POC has been identified at time of analysis.
Technical ContextAI
Orthanc DICOM Server is a lightweight, RESTful medical imaging server for healthcare applications handling DICOM (Digital Imaging and Communications in Medicine) protocol. This vulnerability stems from improper input validation in the HTTP request handling logic where the server's memory allocation mechanism directly trusts the client-supplied Content-Length header value. Without enforcing maximum size constraints or resource quotas, an attacker can specify arbitrary large values (e.g., multiple gigabytes or terabytes) in the header, triggering immediate memory allocation that exceeds available system resources. This represents a classic resource exhaustion attack pattern where metadata validation failures enable denial-of-service conditions. The vulnerability is particularly impactful in medical environments where DICOM server availability directly affects clinical workflows and patient care delivery.
RemediationAI
Organizations should upgrade Orthanc DICOM Server to version 1.12.11 or later, which is expected to include input validation limiting Content-Length header values to reasonable thresholds. Until patching is complete, implement network-level mitigations including web application firewall rules to reject HTTP requests with Content-Length headers exceeding legitimate medical imaging file sizes (typically under 500MB for DICOM studies). Deploy reverse proxy solutions with request size limits and rate limiting to prevent repeated exploitation attempts. Restrict network access to Orthanc servers using firewall rules, allowing connections only from trusted PACS workstations and imaging modalities. Monitor server memory utilization for anomalous spikes indicating exploitation attempts. Consult vendor advisory at https://www.orthanc-server.com/ and CERT/CC vulnerability note https://kb.cert.org/vuls/id/536588 for official remediation guidance and updated release information.
More in Dicom Server
View allHeap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows unauthenticated remote code execution via malfor
Heap buffer overflow in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to achieve arbitrary code
Out-of-bounds heap read in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to extract heap memory
Memory exhaustion in Orthanc DICOM Server versions ≤1.12.10 allows remote attackers to trigger denial of service by uplo
Memory exhaustion in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to trigger denial-of-service
Out-of-bounds read in Orthanc DICOM Server's DicomStreamReader allows remote unauthenticated attackers to trigger denial
Heap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows local attackers to corrupt data or crash the ser
Out-of-bounds read in Orthanc DICOM Server's Philips PMSCT_RLE1 decompression allows local attackers to leak heap memory
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20917
GHSA-826q-ppf7-8g9v