Skip to main content

Dicom Server EUVDEUVD-2026-20914

| CVE-2026-5438 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-09 certcc GHSA-7vj5-pm38-6wjv
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 17:23 vuln.today
CVSS changed
Apr 14, 2026 - 17:22 NVD
7.5 (HIGH)
EUVD ID Assigned
Apr 09, 2026 - 15:00 euvd
EUVD-2026-20914
CVE Published
Apr 09, 2026 - 14:44 nvd
N/A

DescriptionCVE.org

A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with Content-Encoding: gzip. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.

AnalysisAI

Memory exhaustion in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to trigger denial-of-service via gzip decompression bombs in HTTP requests. Attackers send maliciously crafted gzip-compressed payloads with inflated decompression metadata, forcing the server to allocate unbounded memory and crash. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis. CVSS 7.5 reflects network-reachable, low-complexity attack requiring no authentication, but impact limited to availability only.

Technical ContextAI

Orthanc is an open-source DICOM server for medical imaging workflows. This vulnerability affects the HTTP request handling layer when processing Content-Encoding: gzip headers. Classic decompression bomb attacks exploit algorithmic complexity by embedding highly compressible data (e.g., long runs of zeros) that expand dramatically upon decompression. Without implementing decompression ratio limits or memory caps, the server allocates memory proportional to the attacker-declared uncompressed size in gzip metadata. The CPE identifier cpe:2.3:a:orthanc:dicom_server indicates all versions through 1.12.10 are affected. While no CWE is formally assigned, this aligns with CWE-409 (Improper Handling of Highly Compressed Data) and CWE-770 (Allocation of Resources Without Limits or Throttling). Medical imaging environments often expose DICOM servers to network access for radiology workflows, increasing attack surface.

RemediationAI

No vendor-released patch identified at time of analysis based on available advisory data. Organizations should monitor the official Orthanc repository (https://www.orthanc-server.com/) and CERT/CC VU#536588 (https://kb.cert.org/vuls/id/536588) for forthcoming patches addressing decompression limits. Interim mitigations include deploying reverse proxies or web application firewalls configured to reject or limit gzip-encoded requests, restricting network access to trusted DICOM workstations via firewall rules, and implementing resource quotas at the container or VM layer to prevent full memory exhaustion. For internet-facing deployments, immediately apply network segmentation to isolate DICOM services from untrusted networks until patches are available. Review Orthanc server logs for unusual patterns of gzip-encoded POST/PUT requests from unexpected source IPs as potential reconnaissance activity.

Share

EUVD-2026-20914 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy