JustAppSec
UNKNOWN Severity

CVE-2026-5438

Last updated Apr 09, 2026 · Published Apr 09, 2026

← Back to list

Description

A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.

Affected products

1 listed
  • Orthanc:DICOM Server

Mappings

CWE

CWE-770

CAPEC

None listed.

CVE® content © MITRE Corporation. Licensed under the CVE Terms of Use. Terms

Need help?Get in touch.