{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5439", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-04-02T19:22:13.583Z", "datePublished": "2026-04-09T14:44:37.078Z", "dateUpdated": "2026-04-14T16:34:14.439Z"}, "containers": {"cna": {"title": "Memory Exhaustion via Forged ZIP Metadata", "descriptions": [{"lang": "en", "value": "A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Orthanc", "product": "DICOM Server", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.12.10", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "references": [{"url": "https://www.orthanc-server.com/"}, {"url": "https://www.machinespirits.de/"}, {"url": "https://kb.cert.org/vuls/id/536588"}], "x_generator": {"engine": "VINCE 3.0.35", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5439"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-09T14:44:37.078Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:15:14.226462Z", "id": "CVE-2026-5439", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:34:14.439Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-5439", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T15:15:14.226462Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:15:08.031Z"}}], "cna": {"title": "Memory Exhaustion via Forged ZIP Metadata", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Orthanc", "product": "DICOM Server", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.12.10"}]}], "references": [{"url": "https://www.orthanc-server.com/"}, {"url": "https://www.machinespirits.de/"}, {"url": "https://kb.cert.org/vuls/id/536588"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.35", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5439"}, "descriptions": [{"lang": "en", "value": "A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-09T14:44:37.078Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5439", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:34:14.439Z", "dateReserved": "2026-04-02T19:22:13.583Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-04-09T14:44:37.078Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:orthanc-server:orthanc:*:*:*:*:*:*:*:*", "matchCriteriaId": "A259075D-8B77-4B04-BC42-3E5ABE9DFE1F", "versionEndExcluding": "1.12.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction."}], "id": "CVE-2026-5439", "lastModified": "2026-04-15T19:32:22.333", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-09T15:16:15.443", "references": [{"source": "cret@cert.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://kb.cert.org/vuls/id/536588"}, {"source": "cret@cert.org", "tags": ["Not Applicable"], "url": "https://www.machinespirits.de/"}, {"source": "cret@cert.org", "tags": ["Product"], "url": "https://www.orthanc-server.com/"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.12.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "DICOM Server", "source": "cna", "vendor": "Orthanc"}, "product": "dicom_server", "vendor": "orthanc"}], "analysis": {"en": {"generated_at": "2026-04-17T09:25:56.218846+00:00", "value": {"mitigation_remediation": ["Apply the latest Orthanc update that fixes ZIP metadata validation", "If an upgrade is not possible, block or disable automatic ZIP extraction on the affected endpoints", "Validate or sanitize ZIP metadata before extraction to ensure uncompressed sizes stay within realistic limits", "Ensure that any temporary buffers allocated during extraction are bounded and checked"], "summary": {"action": "Immediate Patch", "impact": "Remote Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Orthanc DICOM Server products that automatically decompress ZIP uploads. No specific version numbers are listed, so any Orthanc installation using the default ZIP extraction routine is potentially vulnerable.", "description_and_impact": "Orthanc automatically extracts ZIP archives uploaded to certain endpoints and relies on metadata describing the uncompressed size of each archived file. An attacker can craft a small ZIP archive containing a forged size value that far exceeds realistic limits. During extraction the server allocates buffers based on that forged value, causing extreme memory usage and potentially exhausting the system\u2019s memory. This flaw is classified as CWE\u2011770, Excessive Resource Consumption, leading to a denial of service where the server becomes unresponsive, restarts, or crashes, disrupting legitimate DICOM operations.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description, it is inferred that an attacker can exploit the flaw remotely by uploading a malicious ZIP file to any endpoint that accepts ZIP data; authentication or additional privileges are not explicitly required, but this is inferred from the fact that the server processes the uploads without validating size metadata. The attack vector is inferred from the processing of uploaded ZIP archives."}}}}, "created": "2026-04-10T08:53:21.720301+00:00", "updated": "2026-04-17T09:30:14.486924+00:00", "vendors": ["orthanc", "orthanc$PRODUCT$dicom_server"]}