Critical Orthanc DICOM Server Vulnerabilities Expose Healthcare Systems to RCE and DoS

Orthanc, an open-source DICOM server used in medical imaging, is reported to have nine security vulnerabilities that expose healthcare infrastructure to significant risks. These flaws affect all versions up to 1.12.10 and can lead to remote code execution (RCE), system crashes, and data leakage. 

Vulnerabilities summary:

• CVE-2026-5442 (CVSS score 8.8) — A heap buffer overflow in the DICOM image decoder that occurs when dimension fields use Unsigned Long (UL) instead of Unsigned Short (US). Attackers can trigger integer overflows by specifying massive image dimensions, leading to out-of-bounds memory access. This allows for server crashes or arbitrary code execution.
• CVE-2026-5444 (CVSS score 8.8) — A heap buffer overflow in the PAM image parsing logic caused by 32-bit integer arithmetic errors. By embedding a crafted PAM image in a DICOM file, attackers cause an undersized memory allocation followed by an out-of-bounds write. This mechanism enables remote code execution or system crashes.
• CVE-2026-5438 (CVSS score 7.5) — A memory exhaustion vulnerability in the HTTP request processing involving GZIP decompression. Attackers send decompression bombs with no size limits, forcing the server to allocate excessive memory based on malicious metadata. This results in a denial-of-service condition.
• CVE-2026-5439 (CVSS score 7.5) — A memory exhaustion flaw in ZIP archive processing where the server trusts uncompressed size metadata. Attackers forge these values to trigger extremely large buffer allocations during extraction. This leads to immediate system resource depletion and service failure.
• CVE-2026-5440 (CVSS score 7.5) — A denial-of-service vulnerability in the HTTP server component related to header value handling. The server allocates memory directly based on user-supplied Content-Length values without validation. Attackers can terminate the server process by sending a single request with an oversized length value.
• CVE-2026-5437 (CVSS score 5.3) — An out-of-bounds read in the meta-header parser due to insufficient input validation. Attackers can exploit this flaw to read memory outside the intended buffer during parsing. This can lead to information disclosure or server instability.
• CVE-2026-5441 (CVSS score 5.3) — An out-of-bounds read in the Philips Compression format decompression routine. The decoder fails to properly validate escape markers at the end of the data stream, allowing attackers to leak heap data into rendered image outputs.
• CVE-2026-5443 (CVSS score 5.3) — An out-of-bounds read in the lookup-table decoding logic for Palette Color images. The system fails to validate pixel indices against the palette size, letting attackers read memory beyond the allocated buffer via crafted images.
• CVE-2026-5445 (CVSS score 7.5) — A heap buffer overflow in the Palette Color image decoding logic. This vulnerability allows attackers to write data past buffer boundaries during image processing. The flaw can result in server crashes or potential code execution.

All versions of the Orthanc DICOM Server up to and including 1.12.10 are vulnerable to these exploits. The attack surface includes any instance that accepts DICOM uploads or is reachable via its HTTP API. Because malicious files can be stored and processed later, the threat persists even if the initial upload is not immediately processed.

Administrators should upgrade to Orthanc version 1.12.11 ASAP. In addition to patching, organizations should implement network segmentation to isolate DICOM servers from untrusted networks and the public internet.