Zero Day MonitorZDM

← Back to list

—

CVE-2026-5443

Orthanc · DICOM Server

Heap Buffer Overflow in DICOM Image Decoder (Palette Color Decode)

Description

A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images. Pixel length validation uses 32-bit multiplication for width and height calculations. If these values overflow, the validation check incorrectly succeeds, allowing the decoder to read and write to memory beyond allocated buffers.

Affected Products

Vendor	Product	Versions
Orthanc	DICOM Server	0, 1.12.10

References

Related News (2 articles)

Tier C

VulDB7h ago

CVE-2026-5443 | Orthanc DICOM Server up to 1.12.10 DICOM Image Parser integer overflow

→ No new info (linked only)

Tier B

CERT/CC Vuln Notes8h ago

VU#536588: Multiple Heap Buffer Overflows in Orthanc DICOM Server

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

PublishedApr 9, 2026

Last enriched6h agov2

Trending Score31

Source articles2

Independent2

Info Completeness6/14

Missing: cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-5440

Memory Exhaustion via Unbounded Content-Length

NONECVE-2026-5445

Out-of-Bounds Read in DicomImageDecoder (DecodeLookupTable)

NONECVE-2026-5441

Out-of-Bounds Read in DicomImageDecoder (PMSCT_RLE1 Decompression)

NONECVE-2026-5438

Gzip Decompression Bomb via Content-Encoding Header

NONECVE-2026-5439

Memory Exhaustion via Forged ZIP Metadata

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 9, 2026

Discovered by ZDM

Apr 9, 2026

Updated: affectedVersions

Apr 9, 2026

Version History

v2

Last enriched 6h ago

v2Tier C6h ago

Updated severity to CRITICAL, added affected version 1.12.10, and corrected exploit availability status.

affectedVersions

via VulDB

v17h ago

Initial creation