CISA advises addressing Orthanc DICOM Server vulnerabilities

Orthanc DICOM Server versions 1.12.10 and earlier have multiple vulnerabilities in image decoding and Hypertext Transfer Protocol (HTTP) request handling that can lead to heap memory corruption, out-of-bounds reads, information disclosure, and Denial of Service (DoS), including conditions that may enable remote code execution under certain circumstances.

Across nine identified issues, CVE-2026-5437 is an out-of-bounds read in DicomStreamReader during DICOM meta-header parsing when processing malformed metadata structures, where the parser may read beyond the allocated metadata buffer bounds. CVE-2026-5438 is a gzip decompression bomb triggered by an HTTP request with Content-Encoding: gzip, where Orthanc does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. CVE-2026-5439 is a memory exhaustion flaw in ZIP archive processing where Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing uncompressed size, allowing a forged size value to cause allocation of extremely large buffers during extraction. CVE-2026-5440 is a memory exhaustion vulnerability in the HTTP server via unbounded use of the Content-Length header, where Orthanc allocates memory directly based on the attacker-supplied value without enforcing an upper limit, and a crafted request with a Content-Length of approximately 4 GB can trigger excessive allocation and server termination even without sending a request body. CVE-2026-5441 is an out-of-bounds read in DecodePsmctRle1 in DicomImageDecoder.cpp, where the PMSCT_RLE1 decompression routine decodes the proprietary Philips Compression format but does not properly validate escape markers near the end of the compressed data stream, enabling a crafted sequence at the end of the buffer to read beyond the allocated memory region and leak heap data into the rendered image output. CVE-2026-5442 is a heap buffer overflow in the DICOM image decoder where dimension fields are encoded using Virtual Reality (VR) Unsigned Long (UL) instead of expected VR Unsigned Short (US), allowing extremely large dimensions that cause an integer overflow during frame size calculation and out-of-bounds memory access during image decoding. CVE-2026-5443 is a heap buffer overflow during PALETTE COLOR DICOM image decoding where pixel length validation uses 32-bit multiplication for width and height, and if these values overflow the validation check incorrectly succeeds, allowing reads and writes beyond allocated buffers. CVE-2026-5444 is a heap buffer overflow in Privileged Access Management (PAM) image parsing logic where Orthanc multiplies image dimensions using 32-bit unsigned arithmetic for a crafted PAM image embedded in a DICOM file, allowing integer overflow during buffer size calculation that results in allocation of a small buffer followed by a much larger write operation during pixel processing. CVE-2026-5445 is an out-of-bounds read in DecodeLookupTable in DicomImageDecoder.cpp, where lookup-table decoding for PALETTE COLOR images does not validate pixel indices against lookup table size, so crafted images with indices larger than the palette size can cause reading beyond allocated lookup table memory and expose heap contents in the output image.

The vulnerabilities in Orthanc DICOM Server 1.20.10 allow attackers to trigger heap memory corruption, out-of-bounds read, information disclosure, and DoS conditions through crafted DICOM files and HTTP requests. The most severe issues are heap-based buffer overflows in image parsing and decoding logic that can crash the Orthanc process and may, under certain conditions, provide a pathway to remote code execution (RCE). Several additional flaws permit out-of-bounds reads that can expose heap-resident data, including allocator metadata, internal identifiers, points, and portions of adjacent DICOM content through rendered image output. Multiple vulnerabilities enable resource exhaustion by causing Orthanc to allocate excessive amounts of memory based on attacker-controlled metadata such as Content-Length, ZIP archive size fields, and gzip decompression size values, which can reliably result in process termination and DoS, often with only a small, crafted payload. Some affected code paths may also allow malicious DICOM content to be stored and later re-triggered during normal processing, increasing persistence and operational impact of exploitation.

Orthanc released version 1.12.11 to address these vulnerabilities, and users are strongly encouraged to upgrade as soon as possible. Administrators should review deployment configurations to limit exposure of upload and image processing functionality to trusted users and networks wherever possible, and refer to Orthanc documentation and release notes for patching and deployment guidance.

Machine Spirits UG disclosed the reported issues, and the advisory text attributes authorship to Michael Bragg. Report references include heap buffer overflow and out-of-bounds read advisories for specific components, plus memory exhaustion and gzip decompression bomb advisories, each with a corresponding URL listed in the source material.