Memory Exhaustion Vulnerability in Orthanc by Machine Spirits
CVE-2026-5439

Currently unrated

Key Information:

Vendor: Orthanc
Status: Dicom Server
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-5439?

A memory exhaustion vulnerability has been identified in the ZIP archive processing feature of Orthanc. This flaw arises when Orthanc automatically extracts uploaded ZIP archives, relying on metadata that specifies the uncompressed size of files. An attacker can exploit this by creating a specially crafted ZIP archive with a manipulated size value, leading the server to allocate disproportionately large buffers during extraction. This can result in resource depletion, affecting server stability and availability. It is essential for users and administrators of Orthanc to implement the latest security updates to mitigate this risk.

Affected Version(s)

DICOM Server 0 <= 1.12.10

References

https://www.orthanc-server.com/

https://www.machinespirits.de/

https://kb.cert.org/vuls/id/536588

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-5439 Data

JSON