CVE-2026-5442
published 2026-04-09CVE-2026-5442: A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL)…
PriorityP355critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.60%
44.2th percentile
A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | orthanc | — | — |
| orthanc-server | orthanc | < 1.12.11 | 1.12.11 |
| orthanc | dicom_server | <= 1.12.10 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f2m7-r4gw-p642: A heap buffer overflow vulnerability exists in the DICOM image decoder
ghsa_unreviewed·2026-04-09
CVE-2026-5442 GHSA-f2m7-r4gw-p642: A heap buffer overflow vulnerability exists in the DICOM image decoder
A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding.
VulDB
Orthanc DICOM Server up to 1.12.10 DICOM Image Parser integer overflow (EUVD-2026-20920)
vuldb·2026-04-09
CVE-2026-5442 [CRITICAL] Orthanc DICOM Server up to 1.12.10 DICOM Image Parser integer overflow (EUVD-2026-20920)
A vulnerability classified as critical has been found in Orthanc DICOM Server up to 1.12.10. The affected element is an unknown function of the component DICOM Image Parser. This manipulation causes integer overflow.
This vulnerability appears as CVE-2026-5442. The attack may be initiated remotely. There is no available exploit.
Debian
CVE-2026-5442: orthanc
vendor_debian·2026
CVE-2026-5442 CVE-2026-5442: orthanc
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
2026-04-09
Published