CVE-2026-5444
Heap Buffer Overflow in Orthanc PAM Image Parsing Causes Memory Corruption
Publication date: 2026-04-09
Last updated on: 2026-04-14
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| orthanc-server | orthanc | to 1.12.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The heap buffer overflow can lead to memory corruption, which may cause the application to crash or allow an attacker to execute arbitrary code. This can compromise the security and stability of the system running Orthanc, potentially leading to unauthorized access or denial of service.
Can you explain this vulnerability to me?
This vulnerability is a heap buffer overflow in the PAM image parsing logic of Orthanc. It occurs when Orthanc processes a specially crafted PAM image embedded within a DICOM file. The image dimensions are multiplied using 32-bit unsigned arithmetic, which can cause an integer overflow during the calculation of the buffer size. As a result, a smaller buffer than needed is allocated, but a much larger write operation happens during pixel processing, leading to a buffer overflow.