Out-of-Bounds Read Vulnerability in DICOM Parser by Orthanc Server
CVE-2026-5437

7.5HIGH

Key Information:

Vendor: Orthanc
Status: Dicom Server
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-5437?

An out-of-bounds read vulnerability in the DicomStreamReader component of Orthanc Server can occur during the parsing of malformed DICOM meta-headers. This issue arises from inadequate input validation, allowing potential discrepancies in how metadata is processed. While it typically does not result in server crashes or direct data exposure, the flaw underscores significant security concerns regarding metadata parsing logic in the software. Users are advised to ensure they are running the latest versions of the software to mitigate this vulnerability.

Affected Version(s)

DICOM Server 0 <= 1.12.10

References

https://www.orthanc-server.com/

https://www.machinespirits.de/

https://kb.cert.org/vuls/id/536588

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-5437 Data

JSON