Memory Exhaustion Vulnerability in Orthanc HTTP Server
CVE-2026-5440

Currently unrated

Key Information:

Vendor: Orthanc
Status: Dicom Server
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-5440?

A memory exhaustion vulnerability exists in the Orthanc HTTP server, caused by the unbounded use of the Content-Length header. This flaw allows attackers to exploit the server by sending crafted HTTP requests with excessively large Content-Length values. Because the server allocates memory based solely on the provided header without enforcing a maximum limit, it can lead to excessive memory allocation. This can ultimately cause server instability and termination, even if the malicious request does not include a body, making it a serious concern for users relying on Orthanc for reliable data handling.

Affected Version(s)

DICOM Server 0 <= 1.12.10

References

https://www.orthanc-server.com/

https://www.machinespirits.de/

https://kb.cert.org/vuls/id/536588

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-5440 Data

JSON