Orthanc DICOM Vulnerabilities Expose System to Crashes and Remote Code Execution
Nine Critical Vulnerabilities Found in Open-Source DICOM Server Orthanc
The open-source Digital Imaging and Communications in Medicine (DICOM) server Orthanc has been found vulnerable to nine critical security flaws, allowing attackers to crash servers, leak data, and execute arbitrary code remotely.
Vulnerability Details
- CVE-2026-5437: Out-of-bounds read issue affecting the meta-header parser due to inadequate input validation in the parsing logic.
- CVE-2026-5438: GZIP decompression bomb flaw in handling specific HTTP requests, causing the server to allocate memory based on attacker-controlled metadata without enforcing limits on decompressed size.
- CVE-2026-5439: Memory exhaustion defect in ZIP archive processing, where the server trusts metadata describing the uncompressed size of archived files, allowing an attacker to craft size values and trigger server termination.
- CVE-2026-5440: Heap-based buffer overflow in image parsing and decoding logic, potentially enabling remote code execution (RCE).
- CVE-2026-5441: Out-of-bounds read weakness in the decompression routine for the proprietary Philips Compression format.
- CVE-2026-5442: Out-of-bounds read weakness in the lookup-table decoding logic for Palette Color images.
- CVE-2026-5443: Out-of-bounds read weakness in the image decoder.
- CVE-2026-5444: Insufficient validation of metadata in the meta-header parser.
- CVE-2026-5445: Missing checks and unsafe arithmetic operations in various components of the Orthanc server.
According to the CERT Coordination Center (CERT/CC), “These vulnerabilities highlight the importance of thorough testing and validation in software development, particularly when dealing with sensitive applications like medical imaging servers.”
Action Required
Affected versions of Orthanc include 1.12.10 and earlier; users are advised to update to version 1.12.11, which addresses all of these bugs.
About Author
English