CVE-2026-5439
published 2026-04-09CVE-2026-5439: A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.43%
34.1th percentile
A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | orthanc | — | — |
| orthanc-server | orthanc | < 1.12.11 | 1.12.11 |
| orthanc | dicom_server | <= 1.12.10 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2026-5439: orthanc
vendor_debian·2026
CVE-2026-5439 CVE-2026-5439: orthanc
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
GHSA
GHSA-6cmv-pvcc-pf5h: A memory exhaustion vulnerability exists in ZIP archive processing
ghsa_unreviewed·2026-04-09
CVE-2026-5439 GHSA-6cmv-pvcc-pf5h: A memory exhaustion vulnerability exists in ZIP archive processing
A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.
VulDB
Orthanc DICOM Server up to 1.12.10 ZIP Archive size allocation of resources (EUVD-2026-20916)
vuldb·2026-04-09
CVE-2026-5439 [LOW] Orthanc DICOM Server up to 1.12.10 ZIP Archive size allocation of resources (EUVD-2026-20916)
A vulnerability marked as problematic has been reported in Orthanc DICOM Server up to 1.12.10. This issue affects some unknown processing of the component ZIP Archive Handler. The manipulation of the argument size leads to allocation of resources.
This vulnerability is documented as CVE-2026-5439. The attack can be initiated remotely. There is not any exploit available.
No detection rules found.
No public exploits indexed.
2026-04-09
Published