CVE-2026-5437
Received Received - Intake
Out-of-Bounds Read in DicomStreamReader During Metadata Parsing

Publication date: 2026-04-09

Last updated on: 2026-04-15

Assigner: CERT/CC

Description
An out-of-bounds read vulnerability exists in `DicomStreamReader` during DICOM meta-header parsing. When processing malformed metadata structures, the parser may read beyond the bounds of the allocated metadata buffer. Although this issue does not typically crash the server or expose data directly to the attacker, it reflects insufficient input validation in the parsing logic.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5437
EUVD
EUVD-2026-20913
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
orthanc-server orthanc to 1.12.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-5437 is an out-of-bounds read vulnerability found in the Orthanc DICOM Server's DicomStreamReader component during the parsing of DICOM meta-headers.

When the server processes malformed metadata structures, the parser may read beyond the allocated metadata buffer bounds due to insufficient input validation.

Although this flaw usually does not cause server crashes or directly expose data to attackers, it indicates a critical weakness in how the server handles attacker-controlled metadata.

Impact Analysis

This vulnerability can lead to the Orthanc DICOM Server reading memory outside the intended buffer, which may cause unpredictable behavior or potentially be leveraged in more complex attacks.

While it typically does not crash the server or directly expose sensitive data, the underlying insufficient input validation could be exploited as part of a broader attack strategy.

Users of affected versions are strongly advised to upgrade to Orthanc version 1.12.11 or later, where this vulnerability has been addressed.

Mitigation Strategies

The vulnerability CVE-2026-5437 in the Orthanc DICOM Server has been addressed in version 1.12.11.

Users are strongly advised to upgrade their Orthanc server to version 1.12.11 or later to mitigate the risk of this out-of-bounds read vulnerability.

Detection Guidance

There is no specific detection method or commands provided in the available information to identify this vulnerability on your network or system.

However, since the vulnerability occurs during parsing of malformed DICOM metadata in the Orthanc DICOM Server (version 1.12.10 and earlier), monitoring for unusual or malformed DICOM files being processed by Orthanc may help in detection.

The recommended mitigation is to upgrade Orthanc to version 1.12.11 or later, where this vulnerability has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5437. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart