Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
A heap buffer overflow vulnerability exists during the decoding of PALETTE COLOR DICOM images. Pixel length validation uses 32-bit multiplication for width and height calculations. If these values overflow, the validation check incorrectly succeeds, allowing the decoder to read and write to memory beyond allocated buffers.
AnalysisAI
Heap buffer overflow in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to achieve arbitrary code execution by sending specially crafted PALETTE COLOR DICOM images. The flaw stems from integer overflow during 32-bit width×height multiplication in pixel length validation, causing bounds checks to incorrectly pass and enabling out-of-bounds memory read/write operations. CVSS 9.8 critical severity with network attack vector requiring no privileges or user interaction. EPSS exp
Technical ContextAI
Orthanc is an open-source DICOM server used in medical imaging workflows for storing, routing, and processing radiology images. The vulnerability affects the DICOM image decoding pipeline when processing PALETTE COLOR photometric interpretation images. DICOM images define pixel data dimensions through width and height attributes, and the decoder must allocate sufficient heap memory based on total pixel count. The affected validation logic performs 32-bit integer multiplication (width × height × bytes_per_pixel) to calculate required buffer size. On 32-bit systems or when width/height values exceed √(2^32), this multiplication wraps around to a small positive value, bypassing allocation size checks. The decoder then attempts to process the full image dimensions into an undersized buffer, triggering classic heap buffer overflow conditions. This is an integer overflow leading to heap corruption vulnerability class, commonly seen in image parsing libraries handling untrusted dimension metadata. The CPE string cpe:2.3:a:orthanc:dicom_server identifies the vulnerable component as the Orthanc DICOM Server application stack.
RemediationAI
Upgrade Orthanc DICOM Server to version 1.12.11 or later, which implements corrected integer overflow validation using 64-bit multiplication or overflow detection mechanisms before heap allocation. Obtain patched releases from the official Orthanc downloads page at https://www.orthanc-server.com/ or pull updated container images if using Docker-based deployments. For organizations unable to immediately patch, implement network-level mitigation by restricting DICOM protocol access (ports 4242/TCP, 104/TCP, and any custom configured ports) to trusted medical imaging devices and workstations only, using firewall rules or network segmentation. Deploy input validation proxies or DICOM protocol inspectors that reject images with suspicious dimension attributes (width or height exceeding 32768 pixels, or products approaching 2^32). Disable DICOM C-STORE operations from untrusted sources if operational workflows permit. Monitor Orthanc server logs for unexpected crashes or memory corruption indicators during image processing operations. Review CERT/CC advisory VU#536588 at https://kb.cert.org/vuls/id/536588 for additional technical guidance and subscribe to Orthanc security mailing lists for future updates. Validate remediation by testing with oversized dimension DICOM test files in isolated environments before returning systems to production.
More in Dicom Server
View allHeap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows unauthenticated remote code execution via malfor
Out-of-bounds heap read in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to extract heap memory
Memory exhaustion in Orthanc DICOM Server versions up to 1.12.10 allows remote unauthenticated attackers to crash the se
Memory exhaustion in Orthanc DICOM Server versions ≤1.12.10 allows remote attackers to trigger denial of service by uplo
Memory exhaustion in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to trigger denial-of-service
Out-of-bounds read in Orthanc DICOM Server's DicomStreamReader allows remote unauthenticated attackers to trigger denial
Heap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows local attackers to corrupt data or crash the ser
Out-of-bounds read in Orthanc DICOM Server's Philips PMSCT_RLE1 decompression allows local attackers to leak heap memory
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20922
GHSA-x69c-qfxw-mhm7