Out-of-Bounds Read Vulnerability in Orthanc Server's Dicom Image Decoder
CVE-2026-5445

9.1CRITICAL

Key Information:

Vendor: Orthanc
Status: Dicom Server
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-5445?

A vulnerability exists in the DicomImageDecoder.cpp module of Orthanc Server, specifically within the DecodeLookupTable function. This issue arises when the decoding logic for PALETTE COLOR images fails to properly validate pixel indices against the available size of the lookup table. As a result, specifically crafted images can exploit this flaw by using indices that exceed the palette size, leading to the decoder reading beyond the allocated memory for the lookup table. This misstep exposes sensitive memory content within the heap in the output image, potentially allowing unauthorized access to sensitive information.

Affected Version(s)

DICOM Server 0 <= 1.12.10

References

https://www.orthanc-server.com/

https://www.machinespirits.de/

https://kb.cert.org/vuls/id/536588

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-5445 Data

JSON