Zero Day MonitorZDM

← Back to list

—

CVE-2026-5439

Orthanc · DICOM Server

Memory Exhaustion via Forged ZIP Metadata

Description

A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.

Affected Products

Vendor	Product	Versions
Orthanc	DICOM Server	0, 1.12.10

References

Related News (2 articles)

Tier C

VulDB5h ago

CVE-2026-5439 | Orthanc DICOM Server up to 1.12.10 ZIP Archive size allocation of resources

→ No new info (linked only)

Tier B

CERT/CC Vuln Notes6h ago

VU#536588: Multiple Heap Buffer Overflows in Orthanc DICOM Server

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

PublishedApr 9, 2026

Last enriched5h agov2

Trending Score31

Source articles2

Independent2

Info Completeness6/14

Missing: cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-5440

Memory Exhaustion via Unbounded Content-Length

NONECVE-2026-5445

Out-of-Bounds Read in DicomImageDecoder (DecodeLookupTable)

NONECVE-2026-5443

Heap Buffer Overflow in DICOM Image Decoder (Palette Color Decode)

NONECVE-2026-5441

Out-of-Bounds Read in DicomImageDecoder (PMSCT_RLE1 Decompression)

NONECVE-2026-5438

Gzip Decompression Bomb via Content-Encoding Header

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 9, 2026

Discovered by ZDM

Apr 9, 2026

Updated: affectedVersions

Apr 9, 2026

Version History

v2

Last enriched 5h ago

v2Tier C5h ago

Updated affected versions to include 1.12.10, changed severity to HIGH, and noted that no exploit is available.

affectedVersions

via VulDB

v16h ago

Initial creation