Cyber Security News

Orthanc DICOM Vulnerabilities Lead to Crashes, RCE

CybersecurityNews
Orthanc DICOM Vulnerabilities Lead to Crashes, RCE
Nine vulnerabilities in the open-source DICOM server Orthanc (CVE-2026-5437 to CVE-2026-5445) can crash servers, leak sensitive data, and potentially enable remote code execution. CERT/CC and Machine Spirits advise updating affected Orthanc versions (1.12.10 and earlier) to 1.12.11, which fixes out-of-bounds reads, decompression-bomb and ZIP size abuses, unsafe HTTP header allocations, and multiple heap buffer overflows. #Orthanc #MachineSpirits

Keypoints

  • Nine vulnerabilities (CVE-2026-5437 to CVE-2026-5445) affect Orthanc versions 1.12.10 and earlier.
  • Flaws include out-of-bounds reads and heap buffer overflows in multiple image parsing and decoding routines.
  • GZIP decompression-bomb and ZIP metadata parsing issues can exhaust memory by trusting attacker-controlled sizes.
  • The HTTP server allocates memory based on user-supplied header values, enabling crashes via crafted requests.
  • Users should update to Orthanc 1.12.11 to apply fixes released after disclosure by Machine Spirits and advisory from CERT/CC.

Read More: https://www.securityweek.com/orthanc-dicom-vulnerabilities-lead-to-crashes-rce/