Skip to main content

Orthanc DICOM Server EUVDEUVD-2026-33854

| CVE-2026-10528 LOW
Buffer Overflow (CWE-119)
2026-06-02 cna@vuldb.com GHSA-crj5-j279-vv6p
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 02, 2026 - 00:34 vuln.today

DescriptionCVE.org

A security flaw has been discovered in Orthanc DICOM Server up to 1.12.11. This issue affects the function DcmItem::read of the file OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp of the component DCMTK Parser. Performing a manipulation results in stack-based buffer overflow. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The patch is named bae99026ca97. To fix this issue, it is recommended to deploy a patch.

AnalysisAI

Stack-based buffer overflow in Orthanc DICOM Server up to version 1.12.11 allows a local, low-privileged attacker to crash the server process, causing limited availability impact through the DCMTK parser's DcmItem::read function. The CVSS 4.0 score of 1.9 reflects heavily constrained exploitation conditions: local access only, low-privilege account required, and impact confined to availability with no confidentiality or integrity exposure. Publicly available exploit code exists (confirmed by CVSS 4.0 E:P modifier and CVE description), though no active exploitation has been confirmed by CISA KEV.

Technical ContextAI

Orthanc is an open-source, lightweight DICOM server widely deployed in medical imaging infrastructure. The vulnerability exists in OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp, specifically within the DcmItem::read function, which is part of Orthanc's integration with DCMTK (DICOM ToolKit) - a mature C++ library for parsing DICOM medical image files. CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) identifies the root cause class: the parser does not enforce adequate bounds checking when reading DICOM item data from a crafted file, allowing a stack frame to be overwritten. Stack-based overflows in parsers of this type typically manifest when variable-length fields in a structured file format exceed the size of a fixed-size stack buffer allocated to receive them. No CPE string was supplied in source data; affected scope is defined by the CVE description as all Orthanc releases through 1.12.11.

RemediationAI

The primary fix is to apply the upstream patch identified by commit hash bae99026ca97, available in the Orthanc Mercurial repository at https://orthanc.uclouvain.be/hg/orthanc/rev/bae99026ca97. No specific patched release version number has been confirmed from the available data - the fix is referenced as a named commit rather than a tagged release, so administrators should monitor the Orthanc bug tracker at https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=258#c4 for an official patched build announcement. As a compensating control pending patch deployment, restrict local OS account access to the Orthanc server host to only those users who operationally require it, as exploitation mandates local system presence with at minimum low-privilege credentials; this reduces attack surface without impacting DICOM network services. Additionally, consider running Orthanc under an isolated service account with minimal OS privileges to limit the impact radius if the process is crashed or further exploitation paths are discovered.

Share

EUVD-2026-33854 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy