CVE-2026-10528
Stack-Based Buffer Overflow in Orthanc DICOM Server
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| orthanc | orthanc | to 1.12.11 (inc) |
| orthanc | orthanc | to 1.12.10 (inc) |
| dcmtk | dcmtk | 3.7.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10528 is a Denial of Service (DoS) vulnerability in the Orthanc DICOM Server up to version 1.12.11. The issue arises from a stack-based buffer overflow caused by deeply nested DICOM sequences during parsing. Specifically, the vulnerability affects the function DcmItem::read in the DCMTK Parser component, which Orthanc uses for handling DICOM files.
An attacker can exploit this vulnerability by crafting a malicious DICOM file with excessive nesting of sequences, which leads to unbounded recursion and exhaustion of the call stack. This causes the Orthanc server to crash or become unavailable.
The vulnerability requires local access to the server to perform the attack. The issue has been fixed by introducing compile-time and runtime limits on the maximum allowed sequence nesting depth (defaulting to 64) in the DCMTK library, along with error handling when the limit is exceeded.
How can this vulnerability impact me? :
This vulnerability can cause a Denial of Service (DoS) condition on the Orthanc DICOM server by crashing the server process when it attempts to parse a maliciously crafted DICOM file with deeply nested sequences.
- The server crash results in complete unavailability of all Orthanc services until the server is manually restarted.
- In clinical environments where Orthanc is used for patient imaging, this can disrupt access to critical medical imaging data.
- Since the attack requires local access, the risk is limited to users or processes with local privileges.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to upload or process a maliciously crafted DICOM file containing deeply nested sequences that exceed normal nesting levels (around 50 or more). Such files cause the Orthanc server to crash due to a stack overflow.
A practical detection method involves using a Proof of Concept (PoC) script that generates a DICOM file with excessive nesting. This file can then be uploaded to the Orthanc server using a curl command to observe if the server crashes or becomes unresponsive.
- Generate a malicious DICOM file with the PoC script that creates deeply nested sequences.
- Upload the crafted DICOM file to the Orthanc server using a command like: curl -X POST --data-binary @malicious.dcm http://orthanc-server/instances
If the Orthanc server crashes or the civetweb HTTP worker thread experiences a segmentation fault, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to deploy the patch provided by Orthanc that fixes this vulnerability. The patch introduces compile-time and runtime limits on the maximum allowed nesting depth of DICOM sequences to prevent stack overflow.
Specifically, update Orthanc to the version that includes changeset bae99026ca97 or later, which implements a maximum sequence nesting limit (defaulting to 64) and adds error handling when this limit is exceeded.
Additionally, ensure that the DCMTK library dependency is upgraded to version 3.7.0 or later with the hotfix addressing this issue.
Until the patch is applied, restrict local access to the Orthanc server to trusted users only, as the exploit requires local attack vector.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a Denial of Service (DoS) in Orthanc DICOM Server by crashing the server when processing maliciously crafted DICOM files with deeply nested sequences.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the vulnerability's impact on availability could affect compliance indirectly.
Specifically, Orthanc is used in clinical environments for patient imaging, and a DoS could disrupt access to medical images and patient data, potentially impacting the availability requirement of regulations like HIPAA.
However, there is no direct information provided about data confidentiality or integrity breaches, nor explicit references to regulatory compliance consequences.