Skip to main content

Dicom Server EUVDEUVD-2026-20926

| CVE-2026-5445 CRITICAL
Out-of-bounds Read (CWE-125)
2026-04-09 certcc GHSA-g69c-6pfv-54p9
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 17:24 vuln.today
CVSS changed
Apr 14, 2026 - 17:22 NVD
9.1 (CRITICAL)
EUVD ID Assigned
Apr 09, 2026 - 15:00 euvd
EUVD-2026-20926
CVE Published
Apr 09, 2026 - 14:42 nvd
N/A

DescriptionCVE.org

An out-of-bounds read vulnerability exists in the DecodeLookupTable function within DicomImageDecoder.cpp. The lookup-table decoding logic used for PALETTE COLOR images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size cause the decoder to read beyond allocated lookup table memory and expose heap contents in the output image.

AnalysisAI

Out-of-bounds heap read in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to extract heap memory contents and potentially crash the server via malformed PALETTE COLOR images. The vulnerability resides in the DecodeLookupTable function, which fails to validate pixel indices against palette size boundaries. With a 9.1 CVSS score but only 0.02% EPSS (4th percentile), the theoretical severity is high but observed real-world exploitation probability remains very low. No active exploitation confirmed (not in CISA KEV), no public exploit code identified at time of analysis.

Technical ContextAI

Orthanc DICOM Server is an open-source medical imaging server implementing the DICOM (Digital Imaging and Communications in Medicine) protocol. The vulnerability affects the image decoding pipeline in DicomImageDecoder.cpp, specifically the DecodeLookupTable function responsible for rendering paletted medical images. DICOM PALETTE COLOR images use indexed color encoding where pixel values reference entries in a lookup table (LUT). The decoder lacks bounds checking when translating pixel indices to RGB values from the palette. When processing crafted DICOM files with pixel indices exceeding the LUT size, the decoder performs unchecked pointer arithmetic and reads from adjacent heap memory regions. This classic buffer over-read vulnerability exposes arbitrary heap contents, which become embedded in the decoded output image buffer returned to clients. The affected CPE (cpe:2.3:a:orthanc:dicom_server) confirms the vulnerability is isolated to the Orthanc product line through version 1.12.10.

RemediationAI

Organizations running Orthanc DICOM Server should upgrade to version 1.12.11 or later, which includes bounds validation in the DecodeLookupTable function. Download patched releases from the official Orthanc project repository at https://www.orthanc-server.com/. For environments unable to immediately patch, implement network-level controls to restrict DICOM file upload sources to trusted medical imaging devices only. Deploy input validation proxies to reject DICOM files with malformed palette structures before reaching the Orthanc server. Enable enhanced logging to detect repeated decoding failures that may indicate exploitation attempts. Consider deploying Orthanc behind application firewalls with DICOM protocol inspection capabilities. Review server configurations to disable unnecessary DICOM transfer syntaxes if PALETTE COLOR support is not required for operational workflows. Consult CERT/CC vulnerability note VU#536588 at https://kb.cert.org/vuls/id/536588 for additional technical guidance and vendor coordination updates. Validate remediation by testing with sample DICOM files containing oversized palette indices and confirming proper error handling without crashes or memory exposure.

Share

EUVD-2026-20926 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy