Skip to main content

Dicom Server CVE-2026-5442

| EUVDEUVD-2026-20920 CRITICAL
Out-of-bounds Write (CWE-787)
2026-04-09 certcc GHSA-f2m7-r4gw-p642
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 17:24 vuln.today
CVSS changed
Apr 14, 2026 - 17:22 NVD
9.8 (CRITICAL)
EUVD ID Assigned
Apr 09, 2026 - 15:00 euvd
EUVD-2026-20920
CVE Published
Apr 09, 2026 - 14:43 nvd
N/A

DescriptionCVE.org

A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding.

AnalysisAI

Heap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows unauthenticated remote code execution via malformed DICOM images. Attackers exploit integer overflow during frame size calculation by submitting DICOM files with dimension fields encoded as Unsigned Long (UL) instead of Unsigned Short (US), causing out-of-bounds memory access during image decoding. CVSS 9.8 (Critical) with network-accessible attack vector requiring no authentication or user interaction. EPSS score 2% (percentile 4%) suggests low observed exploitation probability despite critical severity. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis.

Technical ContextAI

The vulnerability affects Orthanc DICOM Server's image decoding subsystem, which processes medical imaging files conforming to the DICOM (Digital Imaging and Communications in Medicine) standard. DICOM uses Value Representation (VR) tags to define data types for encoded fields. Image dimensions should use VR:US (Unsigned Short, 16-bit, max value 65,535), but the vulnerable decoder accepts VR:UL (Unsigned Long, 32-bit, max value 4,294,967,295). When calculating frame buffer size (width × height × bytes_per_pixel), extremely large UL-encoded dimensions trigger integer overflow in the size computation. The decoder then allocates a heap buffer smaller than required and writes beyond bounds during pixel data extraction, resulting in heap corruption. This is a classic integer overflow-to-buffer overflow chain common in image parsers processing untrusted input. Affected product CPE: cpe:2.3:a:orthanc:dicom_server:*:*:*:*:*:*:*:* (all versions through 1.12.10).

RemediationAI

No vendor-released patch identified at time of analysis based on available references. Organizations should monitor the official Orthanc project repository and vendor communications (https://www.orthanc-server.com/) for security updates addressing CVE-2026-5442. Interim mitigations include: restrict network access to Orthanc DICOM endpoints using firewall rules or VPN-only access, implement strict input validation on DICOM files before processing (verify dimension fields use VR:US encoding and reject VR:UL), deploy Orthanc instances in isolated network segments separated from critical healthcare systems, enable comprehensive logging to detect malformed DICOM submission attempts, and consider alternative DICOM server implementations for internet-facing use cases until patches are available. Consult CERT/CC advisory VU#536588 (https://kb.cert.org/vuls/id/536588) for additional technical guidance and detection signatures. Healthcare organizations should coordinate remediation with medical device security and clinical engineering teams to ensure continuity of imaging workflows.

Share

CVE-2026-5442 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy