Zero Day MonitorZDM

← Back to list

—

CVE-2026-5438

Orthanc · DICOM Server

Gzip Decompression Bomb via Content-Encoding Header

Description

A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.

Affected Products

Vendor	Product	Versions
Orthanc	DICOM Server	0, 1.12.10

References

Related News (2 articles)

Tier C

VulDB7h ago

CVE-2026-5438 | Orthanc DICOM Server up to 1.12.10 Gzip Content-Encoding allocation of resources

→ No new info (linked only)

Tier B

CERT/CC Vuln Notes8h ago

VU#536588: Multiple Heap Buffer Overflows in Orthanc DICOM Server

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

PublishedApr 9, 2026

Last enriched6h agov2

Trending Score31

Source articles2

Independent2

Info Completeness6/14

Missing: cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-5440

Memory Exhaustion via Unbounded Content-Length

NONECVE-2026-5445

Out-of-Bounds Read in DicomImageDecoder (DecodeLookupTable)

NONECVE-2026-5443

Heap Buffer Overflow in DICOM Image Decoder (Palette Color Decode)

NONECVE-2026-5441

Out-of-Bounds Read in DicomImageDecoder (PMSCT_RLE1 Decompression)

NONECVE-2026-5439

Memory Exhaustion via Forged ZIP Metadata

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 9, 2026

Discovered by ZDM

Apr 9, 2026

Updated: affectedVersions

Apr 9, 2026

Version History

v2

Last enriched 6h ago

v2Tier C6h ago

Updated affected versions to include 1.12.10, changed severity to HIGH, and noted that the vulnerability is actively exploited.

affectedVersions

via VulDB

v17h ago

Initial creation