Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding.
AnalysisAI
Heap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows unauthenticated remote code execution via malformed DICOM images. Attackers exploit integer overflow during frame size calculation by submitting DICOM files with dimension fields encoded as Unsigned Long (UL) instead of Unsigned Short (US), causing out-of-bounds memory access during image decoding. CVSS 9.8 (Critical) with network-accessible attack vector requiring no authentication or user interaction. EPSS score 2% (percentile 4%) suggests low observed exploitation probability despite critical severity. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis.
Technical ContextAI
The vulnerability affects Orthanc DICOM Server's image decoding subsystem, which processes medical imaging files conforming to the DICOM (Digital Imaging and Communications in Medicine) standard. DICOM uses Value Representation (VR) tags to define data types for encoded fields. Image dimensions should use VR:US (Unsigned Short, 16-bit, max value 65,535), but the vulnerable decoder accepts VR:UL (Unsigned Long, 32-bit, max value 4,294,967,295). When calculating frame buffer size (width × height × bytes_per_pixel), extremely large UL-encoded dimensions trigger integer overflow in the size computation. The decoder then allocates a heap buffer smaller than required and writes beyond bounds during pixel data extraction, resulting in heap corruption. This is a classic integer overflow-to-buffer overflow chain common in image parsers processing untrusted input. Affected product CPE: cpe:2.3:a:orthanc:dicom_server:*:*:*:*:*:*:*:* (all versions through 1.12.10).
RemediationAI
No vendor-released patch identified at time of analysis based on available references. Organizations should monitor the official Orthanc project repository and vendor communications (https://www.orthanc-server.com/) for security updates addressing CVE-2026-5442. Interim mitigations include: restrict network access to Orthanc DICOM endpoints using firewall rules or VPN-only access, implement strict input validation on DICOM files before processing (verify dimension fields use VR:US encoding and reject VR:UL), deploy Orthanc instances in isolated network segments separated from critical healthcare systems, enable comprehensive logging to detect malformed DICOM submission attempts, and consider alternative DICOM server implementations for internet-facing use cases until patches are available. Consult CERT/CC advisory VU#536588 (https://kb.cert.org/vuls/id/536588) for additional technical guidance and detection signatures. Healthcare organizations should coordinate remediation with medical device security and clinical engineering teams to ensure continuity of imaging workflows.
More in Dicom Server
View allHeap buffer overflow in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to achieve arbitrary code
Out-of-bounds heap read in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to extract heap memory
Memory exhaustion in Orthanc DICOM Server versions up to 1.12.10 allows remote unauthenticated attackers to crash the se
Memory exhaustion in Orthanc DICOM Server versions ≤1.12.10 allows remote attackers to trigger denial of service by uplo
Memory exhaustion in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to trigger denial-of-service
Out-of-bounds read in Orthanc DICOM Server's DicomStreamReader allows remote unauthenticated attackers to trigger denial
Heap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows local attackers to corrupt data or crash the ser
Out-of-bounds read in Orthanc DICOM Server's Philips PMSCT_RLE1 decompression allows local attackers to leak heap memory
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20920
GHSA-f2m7-r4gw-p642