CVE-2026-5437
Out-of-Bounds Read in DicomStreamReader During Metadata Parsing
Publication date: 2026-04-09
Last updated on: 2026-04-15
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| orthanc-server | orthanc | to 1.12.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-5437 is an out-of-bounds read vulnerability found in the Orthanc DICOM Server's DicomStreamReader component during the parsing of DICOM meta-headers.
When the server processes malformed metadata structures, the parser may read beyond the allocated metadata buffer bounds due to insufficient input validation.
Although this flaw usually does not cause server crashes or directly expose data to attackers, it indicates a critical weakness in how the server handles attacker-controlled metadata.
How can this vulnerability impact me? :
This vulnerability can lead to the Orthanc DICOM Server reading memory outside the intended buffer, which may cause unpredictable behavior or potentially be leveraged in more complex attacks.
While it typically does not crash the server or directly expose sensitive data, the underlying insufficient input validation could be exploited as part of a broader attack strategy.
Users of affected versions are strongly advised to upgrade to Orthanc version 1.12.11 or later, where this vulnerability has been addressed.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability CVE-2026-5437 in the Orthanc DICOM Server has been addressed in version 1.12.11.
Users are strongly advised to upgrade their Orthanc server to version 1.12.11 or later to mitigate the risk of this out-of-bounds read vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific detection method or commands provided in the available information to identify this vulnerability on your network or system.
However, since the vulnerability occurs during parsing of malformed DICOM metadata in the Orthanc DICOM Server (version 1.12.10 and earlier), monitoring for unusual or malformed DICOM files being processed by Orthanc may help in detection.
The recommended mitigation is to upgrade Orthanc to version 1.12.11 or later, where this vulnerability has been fixed.