CVE-2026-5438
Gzip Decompression Bomb in Orthanc Causes Memory Exhaustion
Publication date: 2026-04-09
Last updated on: 2026-04-15
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| orthanc-server | orthanc | to 1.12.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a gzip decompression bomb issue in Orthanc when it processes HTTP requests with the header 'Content-Encoding: gzip'. The server does not limit the size of the decompressed data and allocates memory based on the compression metadata provided by the attacker. This allows an attacker to craft a malicious gzip payload that causes the server to allocate excessive memory.
How can this vulnerability impact me? :
The impact of this vulnerability is that a specially crafted gzip payload can cause the server to allocate excessive amounts of memory, potentially exhausting system memory. This can lead to denial of service conditions where the server becomes unresponsive or crashes due to lack of available memory.