CVE-2026-5443
published 2026-04-09CVE-2026-5443: A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images. Pixel length validation uses 32-bit multiplication for width…
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.57%
42.9th percentile
A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images. Pixel length validation uses 32-bit multiplication for width and height calculations. If these values overflow, the validation check incorrectly succeeds, allowing the decoder to read and write to memory beyond allocated buffers.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | orthanc | — | — |
| orthanc-server | orthanc | < 1.12.11 | 1.12.11 |
| orthanc | dicom_server | <= 1.12.10 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x69c-qfxw-mhm7: A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images
ghsa_unreviewed·2026-04-09
CVE-2026-5443 GHSA-x69c-qfxw-mhm7: A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images
A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images. Pixel length validation uses 32-bit multiplication for width and height calculations. If these values overflow, the validation check incorrectly succeeds, allowing the decoder to read and write to memory beyond allocated buffers.
VulDB
Orthanc DICOM Server up to 1.12.10 DICOM Image Parser integer overflow (EUVD-2026-20922)
vuldb·2026-04-09
CVE-2026-5443 [CRITICAL] Orthanc DICOM Server up to 1.12.10 DICOM Image Parser integer overflow (EUVD-2026-20922)
A vulnerability classified as critical was found in Orthanc DICOM Server up to 1.12.10. The impacted element is an unknown function of the component DICOM Image Parser. Such manipulation leads to integer overflow.
This vulnerability is traded as CVE-2026-5443. The attack may be launched remotely. There is no exploit available.
Debian
CVE-2026-5443: orthanc
vendor_debian·2026
CVE-2026-5443 CVE-2026-5443: orthanc
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
2026-04-09
Published