Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
An out-of-bounds read vulnerability exists in the DecodeLookupTable function within DicomImageDecoder.cpp. The lookup-table decoding logic used for PALETTE COLOR images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size cause the decoder to read beyond allocated lookup table memory and expose heap contents in the output image.
AnalysisAI
Out-of-bounds heap read in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to extract heap memory contents and potentially crash the server via malformed PALETTE COLOR images. The vulnerability resides in the DecodeLookupTable function, which fails to validate pixel indices against palette size boundaries. With a 9.1 CVSS score but only 0.02% EPSS (4th percentile), the theoretical severity is high but observed real-world exploitation probability remains very low. No active exploitation confirmed (not in CISA KEV), no public exploit code identified at time of analysis.
Technical ContextAI
Orthanc DICOM Server is an open-source medical imaging server implementing the DICOM (Digital Imaging and Communications in Medicine) protocol. The vulnerability affects the image decoding pipeline in DicomImageDecoder.cpp, specifically the DecodeLookupTable function responsible for rendering paletted medical images. DICOM PALETTE COLOR images use indexed color encoding where pixel values reference entries in a lookup table (LUT). The decoder lacks bounds checking when translating pixel indices to RGB values from the palette. When processing crafted DICOM files with pixel indices exceeding the LUT size, the decoder performs unchecked pointer arithmetic and reads from adjacent heap memory regions. This classic buffer over-read vulnerability exposes arbitrary heap contents, which become embedded in the decoded output image buffer returned to clients. The affected CPE (cpe:2.3:a:orthanc:dicom_server) confirms the vulnerability is isolated to the Orthanc product line through version 1.12.10.
RemediationAI
Organizations running Orthanc DICOM Server should upgrade to version 1.12.11 or later, which includes bounds validation in the DecodeLookupTable function. Download patched releases from the official Orthanc project repository at https://www.orthanc-server.com/. For environments unable to immediately patch, implement network-level controls to restrict DICOM file upload sources to trusted medical imaging devices only. Deploy input validation proxies to reject DICOM files with malformed palette structures before reaching the Orthanc server. Enable enhanced logging to detect repeated decoding failures that may indicate exploitation attempts. Consider deploying Orthanc behind application firewalls with DICOM protocol inspection capabilities. Review server configurations to disable unnecessary DICOM transfer syntaxes if PALETTE COLOR support is not required for operational workflows. Consult CERT/CC vulnerability note VU#536588 at https://kb.cert.org/vuls/id/536588 for additional technical guidance and vendor coordination updates. Validate remediation by testing with sample DICOM files containing oversized palette indices and confirming proper error handling without crashes or memory exposure.
More in Dicom Server
View allHeap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows unauthenticated remote code execution via malfor
Heap buffer overflow in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to achieve arbitrary code
Memory exhaustion in Orthanc DICOM Server versions up to 1.12.10 allows remote unauthenticated attackers to crash the se
Memory exhaustion in Orthanc DICOM Server versions ≤1.12.10 allows remote attackers to trigger denial of service by uplo
Memory exhaustion in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to trigger denial-of-service
Out-of-bounds read in Orthanc DICOM Server's DicomStreamReader allows remote unauthenticated attackers to trigger denial
Heap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows local attackers to corrupt data or crash the ser
Out-of-bounds read in Orthanc DICOM Server's Philips PMSCT_RLE1 decompression allows local attackers to leak heap memory
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20926
GHSA-g69c-6pfv-54p9