Vulnerabilities

Nine Orthanc DICOM Server Flaws Enable Crashes, Data Leaks, and Remote Code Execution

April 10, 2026 17:25 · 4 min read
Nine Orthanc DICOM Server Flaws Enable Crashes, Data Leaks, and Remote Code Execution

Overview of the Orthanc DICOM Vulnerabilities

Nine security flaws discovered in Orthanc, a widely used open source Digital Imaging and Communications in Medicine (DICOM) server, allow malicious actors to crash servers, expose sensitive data, and execute arbitrary code on affected systems. Orthanc is a lightweight, standalone DICOM server designed for healthcare and medical research environments. It supports automated medical image analysis and is notable for not requiring complex database administration or third-party dependencies.

The vulnerabilities, tracked as CVE-2026-5437 through CVE-2026-5445, stem from insufficient validation of metadata, missing security checks, and unsafe arithmetic operations, according to an advisory published by the CERT Coordination Center (CERT/CC). All nine flaws affect Orthanc versions 1.12.10 and earlier. Users are strongly encouraged to upgrade to version 1.12.11, which resolves all identified issues.

Detailed Breakdown of the Nine Flaws

Out-of-Bounds Read in Meta-Header Parsing

The first vulnerability is an out-of-bounds read issue residing in the meta-header parser. It is caused by insufficient input validation within the parsing logic, potentially allowing an attacker to read memory outside of allocated bounds.

GZIP Decompression Bomb

The second flaw affects the processing of specific HTTP requests. Because Orthanc enforces no limit on decompressed data size and allocates memory based on attacker-controlled metadata, a specially crafted GZIP payload can be used to exhaust system memory entirely.

Memory Exhaustion in ZIP Archive Processing

A related memory exhaustion defect was found in ZIP archive handling. The server trusts the metadata that describes the uncompressed size of archived files. An attacker can forge these size values to cause Orthanc to allocate extremely large memory buffers during extraction, effectively starving the server of resources.

HTTP Header-Based Memory Allocation

Orthanc's HTTP server was also found to allocate memory directly based on length values supplied by users in HTTP headers. Crafting a request with an extremely large length value can trigger server termination due to uncontrolled memory allocation.

Out-of-Bounds Read in Philips Compression Decoding

Orthanc's decompression routine for the proprietary Philips Compression format is vulnerable to an out-of-bounds read. Escape markers located at the end of a compressed data stream are improperly validated. As the CERT/CC advisory states:

"A crafted sequence at the end of the buffer can cause the decoder to read beyond the allocated memory region and leak heap data into the rendered image output."

Out-of-Bounds Read in Palette Color Lookup-Table Decoding

Another out-of-bounds read weakness was identified in the lookup-table decoding logic used for Palette Color images. This component fails to validate pixel indices, meaning crafted images with indices larger than the palette size can be used to trigger out-of-bounds memory reads.

Three Heap Buffer Overflow Issues

The final three vulnerabilities are all heap buffer overflows affecting different components:

Successful exploitation of any of these overflows can lead to out-of-bounds memory access. The CERT/CC advisory underscores the severity of these particular issues:

"The most severe issues are heap-based buffer overflows in image parsing and decoding logic, which can crash the Orthanc process and may, under certain conditions, provide a pathway to remote code execution (RCE)."

Who Discovered the Vulnerabilities

The nine flaws were identified by researchers at Machine Spirits, who also published their own independent advisories alongside the CERT/CC disclosure. The coordinated release highlights the significance of these bugs for healthcare organizations and medical research institutions that rely on Orthanc for managing and analyzing DICOM imaging data.

Risk and Remediation

Given that Orthanc is deployed in healthcare and medical research environments, the potential impact of these vulnerabilities extends beyond typical software flaws. A successful attack could disrupt diagnostic imaging workflows, expose sensitive patient data stored in DICOM format, or allow a remote attacker to gain control of a server entirely.

The attack surface is particularly concerning for internet-exposed or poorly segmented deployments. Several of the flaws require only a crafted HTTP request or malformed image file to trigger, lowering the barrier for exploitation significantly.

Organizations running Orthanc should treat this update as a critical priority. Administrators should:

  1. Immediately upgrade to Orthanc version 1.12.11, which patches all nine vulnerabilities.
  2. Audit network exposure of Orthanc instances and restrict access where possible.
  3. Review logs for anomalous memory consumption or unexpected server crashes that may indicate prior exploitation attempts.

Full technical details are available in both the CERT/CC advisory and the disclosures published by Machine Spirits.

Source: SecurityWeek

Source: SecurityWeek

Powered by ZeroBot

Protect your website from bots, scrapers, and automated threats.

Try ZeroBot Free

Related Articles

Vulnerabilities

Microsoft's March 2026 Patch Tuesday: 77 Fixes, AI-Discovered CVE Among Highlights

Microsoft addressed 77 security vulnerabilities this Patch Tuesday, with no active zero-days but notable fixes including privilege escalation bugs, critical Office RCE flaws, and a first-of-its-kind CVE discovered by an autonomous AI penetration testing agent.

Apr 10, 2026 23:25 · Krebs on Security 5 min read