Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
A heap buffer overflow vulnerability exists in the PAM image parsing logic. When Orthanc processes a crafted PAM image embedded in a DICOM file, image dimensions are multiplied using 32-bit unsigned arithmetic. Specially chosen values can cause an integer overflow during buffer size calculation, resulting in the allocation of a small buffer followed by a much larger write operation during pixel processing.
AnalysisAI
Heap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows local attackers to corrupt data or crash the service via maliciously crafted PAM images embedded in DICOM files. The vulnerability stems from integer overflow during buffer size calculation when multiplying image dimensions with 32-bit arithmetic, leading to undersized heap allocation followed by oversized writes during pixel processing. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability; no public exploit code or active exploitation confirmed at time of analysis.
Technical ContextAI
Orthanc is an open-source DICOM server used in medical imaging workflows to receive, store, and distribute medical images. This vulnerability affects the server's PAM (Portable Arbitrary Map) image parsing component, which handles pixel data extraction from DICOM encapsulated images. The flaw occurs when the parser calculates heap buffer size using 32-bit unsigned integer multiplication of user-controlled image dimensions (width × height × channels). An attacker can craft dimensions that appear valid individually but overflow during multiplication (e.g., width=65536, height=65536 overflows to a small value in 32-bit space), causing malloc() to allocate insufficient memory. Subsequent pixel processing writes the full expected data size into this undersized buffer, corrupting adjacent heap metadata or application data. This is a classic CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow) exploitation pattern common in image parsers that lack proper overflow checks before allocation.
RemediationAI
Upgrade Orthanc DICOM Server to version 1.12.11 or later, which should contain fixes for the integer overflow in PAM parsing logic (confirm fixed version through vendor advisory at https://www.orthanc-server.com/ or CERT/CC coordination at https://kb.cert.org/vuls/id/536588). As an interim workaround, restrict DICOM file sources to trusted medical imaging devices only and implement file validation at ingestion points to reject files with suspicious PAM headers or extreme dimension values. Configure Orthanc with minimal privileges and deploy address space layout randomization (ASLR) and stack canaries to increase exploitation difficulty. Monitor logs for crashes during image processing as potential indicators of exploitation attempts.
More in Dicom Server
View allHeap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows unauthenticated remote code execution via malfor
Heap buffer overflow in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to achieve arbitrary code
Out-of-bounds heap read in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to extract heap memory
Memory exhaustion in Orthanc DICOM Server versions up to 1.12.10 allows remote unauthenticated attackers to crash the se
Memory exhaustion in Orthanc DICOM Server versions ≤1.12.10 allows remote attackers to trigger denial of service by uplo
Memory exhaustion in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to trigger denial-of-service
Out-of-bounds read in Orthanc DICOM Server's DicomStreamReader allows remote unauthenticated attackers to trigger denial
Out-of-bounds read in Orthanc DICOM Server's Philips PMSCT_RLE1 decompression allows local attackers to leak heap memory
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20924