Memory Exhaustion Vulnerability in Orthanc by Machine Spirits
CVE-2026-5438

Currently unrated

Key Information:

Vendor: Orthanc
Status: Dicom Server
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-5438?

A memory exhaustion vulnerability exists in Orthanc when processing HTTP requests that utilize the 'Content-Encoding: gzip' header. The server currently lacks proper limitations on the size of decompressed data, which enables attackers to exploit the compression metadata of specially crafted gzip payloads. This can lead to excessive memory allocation, causing the server to exhaust system memory resources and potentially disrupt services.

Affected Version(s)

DICOM Server 0 <= 1.12.10

References

https://www.orthanc-server.com/

https://www.machinespirits.de/

https://kb.cert.org/vuls/id/536588

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-5438 Data

JSON