Skip to main content

Dicom Server CVE-2026-5440

| EUVDEUVD-2026-20917 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-09 certcc GHSA-826q-ppf7-8g9v
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 17:23 vuln.today
CVSS changed
Apr 14, 2026 - 17:22 NVD
7.5 (HIGH)
EUVD ID Assigned
Apr 09, 2026 - 15:00 euvd
EUVD-2026-20917
CVE Published
Apr 09, 2026 - 14:43 nvd
N/A

DescriptionCVE.org

A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the Content-Length header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large Content-Length value can trigger excessive memory allocation and server termination, even without sending a request body.

AnalysisAI

Memory exhaustion in Orthanc DICOM Server versions up to 1.12.10 allows remote unauthenticated attackers to crash the service by sending HTTP requests with excessively large Content-Length header values. The server allocates memory based on the header without validation, enabling denial-of-service without transmitting actual payload data. EPSS score of 0.02% (6th percentile) indicates low observed exploitation probability, and no active exploitation or public POC has been identified at time of analysis.

Technical ContextAI

Orthanc DICOM Server is a lightweight, RESTful medical imaging server for healthcare applications handling DICOM (Digital Imaging and Communications in Medicine) protocol. This vulnerability stems from improper input validation in the HTTP request handling logic where the server's memory allocation mechanism directly trusts the client-supplied Content-Length header value. Without enforcing maximum size constraints or resource quotas, an attacker can specify arbitrary large values (e.g., multiple gigabytes or terabytes) in the header, triggering immediate memory allocation that exceeds available system resources. This represents a classic resource exhaustion attack pattern where metadata validation failures enable denial-of-service conditions. The vulnerability is particularly impactful in medical environments where DICOM server availability directly affects clinical workflows and patient care delivery.

RemediationAI

Organizations should upgrade Orthanc DICOM Server to version 1.12.11 or later, which is expected to include input validation limiting Content-Length header values to reasonable thresholds. Until patching is complete, implement network-level mitigations including web application firewall rules to reject HTTP requests with Content-Length headers exceeding legitimate medical imaging file sizes (typically under 500MB for DICOM studies). Deploy reverse proxy solutions with request size limits and rate limiting to prevent repeated exploitation attempts. Restrict network access to Orthanc servers using firewall rules, allowing connections only from trusted PACS workstations and imaging modalities. Monitor server memory utilization for anomalous spikes indicating exploitation attempts. Consult vendor advisory at https://www.orthanc-server.com/ and CERT/CC vulnerability note https://kb.cert.org/vuls/id/536588 for official remediation guidance and updated release information.

Share

CVE-2026-5440 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy