Orthanc DICOM Vulnerabilities Lead to Crashes, RCE

Summary

Nine security flaws (CVE-2026-5437 to CVE-2026-5445) were discovered in Orthanc, an open-source DICOM server used in healthcare and medical research. The vulnerabilities stem from insufficient input validation, missing bounds checks, and unsafe memory operations, allowing attackers to crash servers, leak sensitive data, and execute arbitrary code remotely. Users are advised to update to version 1.12.11 immediately.

Full text

Nine vulnerabilities in the open source Digital Imaging and Communications in Medicine (DICOM) server Orthanc allow attackers to crash servers, leak data, and execute arbitrary code remotely. A lightweight standalone DICOM server for healthcare and medical research, Orthanc supports the automated analysis of medical images and does not require complex database administration or third-party dependencies. The nine security defects in Orthanc, tracked CVE-2026-5437 to CVE-2026-5445, are rooted in insufficient validation of metadata, missing checks, and unsafe arithmetic operations, CERT Coordination Center (CERT/CC) notes in an advisory. The first bug is an out-of-bounds read issue affecting the meta-header parser, caused by insufficient input validation in the parsing logic. Next is a GZIP decompression bomb flaw in the processing of specific HTTP requests. Because no limit is enforced on decompressed size, and memory is allocated based on attacker-controlled metadata, a malicious payload could be used to exhaust system memory. Another memory exhaustion defect was discovered in ZIP archive processing, where the server trusts metadata describing the uncompressed size of the archived files, allowing an attacker to forge size values and cause the server to allocate extremely large buffers during extraction.Advertisement. Scroll to continue reading. The HTTP server was also found to allocate memory directly based on user-supplied header values, allowing attackers to craft an HTTP request containing an extremely large length value, triggering server termination. Orthanc’s decompression routine for the proprietary Philips Compression format is affected by an out-of-bounds read vulnerability, where escape markers at the end of the compressed data stream are improperly validated. “A crafted sequence at the end of the buffer can cause the decoder to read beyond the allocated memory region and leak heap data into the rendered image output,” the CERT/CC advisory reads. Another out-of-bounds read weakness was identified in the lookup-table decoding logic for Palette Color images, which fails to validate pixel indices. The flaw can be exploited via crafted images with indices larger than the palette size. The last three security defects are heap buffer overflow issues impacting the image decoder, Palette Color image decoding logic, and PAM image parsing logic. Successful exploitation of these vulnerabilities could lead to out-of-bounds memory access. “The most severe issues are heap-based buffer overflows in image parsing and decoding logic, which can crash the Orthanc process and may, under certain conditions, provide a pathway to remote code execution (RCE),” the CERT/CC advisory reads. Orthanc versions 1.12.10 and earlier are affected by these bugs. Users are advised to update to version 1.12.11, which addresses all of them. The vulnerabilities were discovered by researchers at Machine Spirits, who published their own advisories. Related: Critical Marimo Flaw Exploited Hours After Public Disclosure Related: Microsoft Finds Vulnerability Exposing Millions of Android Crypto Wallet Users Related: Data Leakage Vulnerability Patched in OpenSSL Related: RCE Bug Lurked in Apache ActiveMQ Classic for 13 Years Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Palo Alto Networks, SonicWall Patch High-Severity VulnerabilitiesGoogle Warns of New Campaign Targeting BPOs to Steal Corporate Data300,000 People Impacted by Eurail Data BreachRCE Bug Lurked in Apache ActiveMQ Classic for 13 YearsFBI: Cybercrime Losses Neared $21 Billion in 2025Evasive Masjesu DDoS Botnet Targets IoT DevicesHackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to TakeoverTrent AI Emerges From Stealth With $13 Million in Funding Latest News Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000MITRE Releases Fight Fraud FrameworkCritical Marimo Flaw Exploited Hours After Public DisclosureGoogle Rolls Out Cookie Theft Protections in ChromeMicrosoft Finds Vulnerability Exposing Millions of Android Crypto Wallet UsersApple Intelligence AI Guardrails Bypassed in New AttackCan We Trust AI? No – But Eventually We MustGoogle API Keys in Android Apps Expose Gemini Endpoints to Unauthorized Access Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveFinite State has named Ann Miller as Vice President of Marketing.Yael Nardi has joined Minimus as Chief Business Officer.John Clancy has become Chief Executive Officer at Bitsight.More People On The MoveExpert Insights The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-5437
• cve — CVE-2026-5438
• cve — CVE-2026-5439
• cve — CVE-2026-5440
• cve — CVE-2026-5441
• cve — CVE-2026-5442
• cve — CVE-2026-5443
• cve — CVE-2026-5444
• cve — CVE-2026-5445

Entities