Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
An out-of-bounds read vulnerability exists in the DecodePsmctRle1 function of DicomImageDecoder.cpp. The PMSCT_RLE1 decompression routine, which decodes the proprietary Philips Compression format, does not properly validate escape markers placed near the end of the compressed data stream. A crafted sequence at the end of the buffer can cause the decoder to read beyond the allocated memory region and leak heap data into the rendered image output.
AnalysisAI
Out-of-bounds read in Orthanc DICOM Server's Philips PMSCT_RLE1 decompression allows local attackers to leak heap memory into rendered medical images via maliciously crafted DICOM files. Affects versions ≤1.12.10. Requires user interaction (opening crafted file). EPSS 0.02% (4th percentile) indicates minimal real-world exploitation likelihood. No active exploitation or public POC identified at time of analysis. CERT/CC reported (VU#536588).
Technical ContextAI
The vulnerability resides in the PMSCT_RLE1 decompression implementation within DicomImageDecoder.cpp, part of Orthanc DICOM Server (cpe:2.3:a:orthanc:dicom_server). PMSCT_RLE1 is Philips' proprietary run-length encoding compression format used in medical imaging. The decoder processes escape markers to control decompression state, but fails to validate marker positions relative to buffer boundaries when they appear near the end of compressed data streams. This classic out-of-bounds read occurs during heap-allocated buffer access, causing the decoder to read beyond allocated memory regions. The leaked out-of-bounds data is directly incorporated into the decompressed image output, making heap contents visible in rendered pixel data. As a buffer overflow variant, this represents improper input validation at the decompression layer where compressed data length assumptions fail to account for malformed marker sequences. DICOM (Digital Imaging and Communications in Medicine) servers like Orthanc are critical infrastructure in healthcare environments, processing patient imaging data.
RemediationAI
No vendor-released patch identified at time of analysis; upstream fix availability not confirmed from available data. Monitor Orthanc project releases at https://www.orthanc-server.com/ for security updates addressing CVE-2026-5441. Until patches are available, implement defense-in-depth measures: restrict DICOM file sources to trusted origins, deploy file integrity validation, sandbox DICOM processing in isolated environments with minimal privileges, disable Philips PMSCT_RLE1 codec support if not operationally required, and implement network segmentation to limit local access vectors. Review CERT/CC advisory VU#536588 at https://kb.cert.org/vuls/id/536588 for additional technical guidance. Organizations should audit DICOM workflow processes to identify where untrusted files might enter the imaging pipeline and enforce strict input validation policies.
More in Dicom Server
View allHeap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows unauthenticated remote code execution via malfor
Heap buffer overflow in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to achieve arbitrary code
Out-of-bounds heap read in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to extract heap memory
Memory exhaustion in Orthanc DICOM Server versions up to 1.12.10 allows remote unauthenticated attackers to crash the se
Memory exhaustion in Orthanc DICOM Server versions ≤1.12.10 allows remote attackers to trigger denial of service by uplo
Memory exhaustion in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to trigger denial-of-service
Out-of-bounds read in Orthanc DICOM Server's DicomStreamReader allows remote unauthenticated attackers to trigger denial
Heap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows local attackers to corrupt data or crash the ser
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20918
GHSA-5jvx-5q86-rxx3