CVE-2026-5442
Heap Buffer Overflow in DICOM Decoder Causes Memory Corruption
Publication date: 2026-04-09
Last updated on: 2026-04-14
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| orthanc-server | orthanc | to 1.12.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a heap buffer overflow in the DICOM image decoder. It occurs because the dimension fields are encoded using the Value Representation (VR) Unsigned Long (UL) instead of the expected VR Unsigned Short (US). This mismatch allows extremely large dimension values to be processed, which causes an integer overflow during the calculation of the frame size. As a result, the decoder accesses memory out-of-bounds while decoding the image.
How can this vulnerability impact me? :
The heap buffer overflow caused by this vulnerability can lead to out-of-bounds memory access during image decoding. This can result in application crashes, data corruption, or potentially allow an attacker to execute arbitrary code, compromising the security and stability of the affected system.