CVE-2026-5440
Memory Exhaustion via Unbounded Content-Length in HTTP Server
Publication date: 2026-04-09
Last updated on: 2026-04-14
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| orthanc-server | orthanc | to 1.12.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a memory exhaustion issue in an HTTP server caused by the unbounded use of the Content-Length header.
The server allocates memory based directly on the value provided in the Content-Length header without enforcing any upper limit.
An attacker can send a crafted HTTP request with an extremely large Content-Length value, which causes the server to allocate excessive memory and potentially terminate, even if the request body is not sent.
How can this vulnerability impact me? :
This vulnerability can lead to denial of service by causing the server to consume excessive memory and terminate unexpectedly.
An attacker can exploit this by sending a request with a very large Content-Length header, which may disrupt normal server operations and availability.