cbcvebase.
CVE-2026-5440
published 2026-04-09

CVE-2026-5440: A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on…

PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.57%
42.7th percentile
A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianorthanc
orthanc-serverorthanc< 1.12.111.12.11
orthancdicom_server<= 1.12.10
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.