Memory Exhaustion Vulnerability in Orthanc by Machine Spirits
CVE-2026-5438

7.5HIGH

Key Information:

Vendor: Orthanc
Status: Dicom Server
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-5438?

A memory exhaustion vulnerability exists in Orthanc when processing HTTP requests that utilize the 'Content-Encoding: gzip' header. The server currently lacks proper limitations on the size of decompressed data, which enables attackers to exploit the compression metadata of specially crafted gzip payloads. This can lead to excessive memory allocation, causing the server to exhaust system memory resources and potentially disrupt services.

Affected Version(s)

DICOM Server 0 <= 1.12.10

References

https://www.orthanc-server.com/

https://www.machinespirits.de/

https://kb.cert.org/vuls/id/536588

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-5438 Data

JSON