Orthanc fixes DICOM parsing flaws enabling DoS and potential RCE
TL;DR — Nine Orthanc DICOM Server flaws let attackers crash the server, leak heap data, and potentially reach remote code execution via crafted DICOM images or HTTP requests.
What happened
Orthanc is an open-source DICOM server used to store, process, and retrieve medical imaging data, typically exposing an HTTP interface for uploads, retrieval, and automation.
SecurityWeek reports that CERT/CC coordinated disclosure for nine vulnerabilities in Orthanc, tracked as CVE-2026-5437 through CVE-2026-5445, impacting Orthanc 1.12.10 and earlier. The issues span out-of-bounds reads, resource exhaustion, and heap buffer overflows across DICOM parsing, image decoding, and HTTP request handling.
| CVE | Bug class (as described by CERT/CC) | Attack surface example |
|---|---|---|
CVE-2026-5437 | Out-of-bounds read in DICOM meta-header parsing (DicomStreamReader) | Crafted DICOM metadata |
CVE-2026-5438 | Gzip decompression bomb (no decompressed-size limit) | HTTP request with Content-Encoding: gzip |
CVE-2026-5439 | ZIP metadata trust → memory exhaustion during extraction | ZIP uploads to affected endpoints |
CVE-2026-5440 | Unbounded Content-Length → excessive allocation / termination | HTTP request with huge Content-Length |
CVE-2026-5441 | Out-of-bounds read in Philips compression decode | Crafted compressed image data |
CVE-2026-5442 | Heap buffer overflow via integer overflow in frame-size calc (UL vs US dimensions) | Crafted DICOM dimensions |
CVE-2026-5443 | Heap buffer overflow in PALETTE COLOR decoding (32-bit overflow) | Crafted palette color images |
CVE-2026-5444 | Heap buffer overflow in PAM image parsing (32-bit overflow) | Crafted PAM-in-DICOM content |
CVE-2026-5445 | Out-of-bounds read in lookup-table decode (palette index not validated) | Crafted pixel indices |
CERT/CC’s impact statement (as relayed by SecurityWeek) highlights that the most severe issues are heap-based buffer overflows in image parsing/decoding that can crash Orthanc and may, under certain conditions, provide a pathway to RCE.
This is the class of bug that tends to become operationally urgent when the service is reachable from less-trusted networks (or ingesting untrusted studies): “just parsing images” becomes an attacker-controlled memory-safety boundary, and DICOM pipelines often have broad lateral reach into clinical systems.
Who is impacted
- Any deployment running
Orthanc 1.12.10or earlier. - Higher-risk environments where Orthanc’s HTTP endpoints are reachable by untrusted clients or where Orthanc ingests medical imaging data from outside a tightly controlled acquisition network.
- Deployments that accept uploads or automate ingestion (increasing exposure to crafted DICOM content, compressed payloads, and large/malicious HTTP requests).
What to do now
- Follow vendor remediation guidance and apply the patched Orthanc release referenced by CERT/CC.
- CERT/CC’s solution section states Orthanc released
1.12.11to address the vulnerabilities. - Vendor statements included in the CERT/CC note repeat:
"users are strongly advised to upgrade to, at least, Orthanc 1.12.11, where this vulnerability has been addressed."
- CERT/CC’s solution section states Orthanc released
- Reduce exposure while patching rolls out:
- Limit network reachability of Orthanc’s HTTP interface to trusted users and networks (especially any upload-capable endpoints).
- Review deployment configurations to minimize who/what can submit DICOM content for decoding.
- If compromise or abuse is suspected (e.g., unexplained crashes, memory spikes):
- Preserve crash dumps/logs, and review recent uploads/requests that triggered decoders or compressed request handling paths.
- Treat affected instances as potentially data-exposed (CERT/CC describes scenarios that can leak heap-resident data into rendered output).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.