SB2026040982 - Multiple vulnerabilities in Orthanc DICOM Server
Published: April 9, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2026-5437)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in DicomStreamReader when parsing DICOM meta-header metadata structures. A remote attacker can supply a malformed DICOM file to disclose sensitive information.
2) Resource exhaustion (CVE-ID: CVE-2026-5438)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper resource management in HTTP request handling when processing an HTTP request with Content-Encoding: gzip. A remote attacker can send a specially crafted gzip payload to cause a denial of service.
3) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-5439)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper resource management in ZIP archive processing when extracting uploaded ZIP archives. A remote attacker can upload a crafted ZIP archive with forged size metadata to cause a denial of service.
The issue affects endpoints that automatically extract uploaded ZIP archives.
4) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-5440)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper resource management in the HTTP server when handling requests with an attacker-supplied Content-Length header. A remote attacker can send a crafted HTTP request with an extremely large Content-Length value to cause a denial of service.
The issue can be triggered without sending a request body.
5) Out-of-bounds read (CVE-ID: CVE-2026-5441)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in the DecodePsmctRle1 function of DicomImageDecoder.cpp when decoding PMSCT_RLE1 compressed image data. A remote attacker can supply a crafted image with escape markers near the end of the compressed data stream to disclose sensitive information.
Heap data may be exposed through the rendered image output.
6) Heap-based buffer overflow (CVE-ID: CVE-2026-5442)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in the DICOM image decoder when decoding images with dimension fields encoded as VR Unsigned Long values. A remote attacker can supply a crafted DICOM file with extremely large dimensions to execute arbitrary code.
The issue is triggered by an integer overflow during frame size calculation.
7) Heap-based buffer overflow (CVE-ID: CVE-2026-5443)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in PALETTE COLOR image decoding when validating pixel length using 32-bit multiplication for width and height calculations. A remote attacker can supply a crafted PALETTE COLOR DICOM image to execute arbitrary code.
The issue is triggered when integer overflow causes the validation check to incorrectly succeed.
8) Heap-based buffer overflow (CVE-ID: CVE-2026-5444)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in the PAM image parsing logic when processing a crafted PAM image embedded in a DICOM file. A remote attacker can supply a crafted DICOM file containing a PAM image with chosen dimensions to execute arbitrary code.
The issue is triggered by integer overflow during buffer size calculation, causing a small allocation followed by a larger write operation during pixel processing.
9) Out-of-bounds read (CVE-ID: CVE-2026-5445)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in the DecodeLookupTable function within DicomImageDecoder.cpp when decoding lookup tables for PALETTE COLOR images. A remote attacker can supply a crafted image containing pixel indices larger than the palette size to disclose sensitive information.
Heap contents may be exposed in the output image.
Remediation
Install update from vendor's website.
References
- https://www.kb.cert.org/vuls/id/536588
- https://www.machinespirits.com/advisory/126f96/
- https://www.machinespirits.com/advisory/faca4b/
- https://www.machinespirits.com/advisory/735e61/
- https://www.machinespirits.com/advisory/1f0f72/
- https://www.machinespirits.com/advisory/4bcfdc/
- https://www.machinespirits.com/advisory/615070/
- https://www.machinespirits.com/advisory/553dfa/
- https://www.machinespirits.com/advisory/b7ced5/
- https://www.machinespirits.com/advisory/33488c/