CVE-2026-10528
Deferred Deferred - Pending Action
Stack-Based Buffer Overflow in Orthanc DICOM Server

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: VulDB

Description
A security flaw has been discovered in Orthanc DICOM Server up to 1.12.11. This issue affects the function DcmItem::read of the file OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp of the component DCMTK Parser. Performing a manipulation results in stack-based buffer overflow. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The patch is named bae99026ca97. To fix this issue, it is recommended to deploy a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10528
EUVD
EUVD-2026-33854
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
orthanc orthanc to 1.12.11 (inc)
orthanc orthanc to 1.12.10 (inc)
dcmtk dcmtk 3.7.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10528 is a Denial of Service (DoS) vulnerability in the Orthanc DICOM Server up to version 1.12.11. The issue arises from a stack-based buffer overflow caused by deeply nested DICOM sequences during parsing. Specifically, the vulnerability affects the function DcmItem::read in the DCMTK Parser component, which Orthanc uses for handling DICOM files.

An attacker can exploit this vulnerability by crafting a malicious DICOM file with excessive nesting of sequences, which leads to unbounded recursion and exhaustion of the call stack. This causes the Orthanc server to crash or become unavailable.

The vulnerability requires local access to the server to perform the attack. The issue has been fixed by introducing compile-time and runtime limits on the maximum allowed sequence nesting depth (defaulting to 64) in the DCMTK library, along with error handling when the limit is exceeded.

Impact Analysis

This vulnerability can cause a Denial of Service (DoS) condition on the Orthanc DICOM server by crashing the server process when it attempts to parse a maliciously crafted DICOM file with deeply nested sequences.

  • The server crash results in complete unavailability of all Orthanc services until the server is manually restarted.
  • In clinical environments where Orthanc is used for patient imaging, this can disrupt access to critical medical imaging data.
  • Since the attack requires local access, the risk is limited to users or processes with local privileges.
Detection Guidance

This vulnerability can be detected by attempting to upload or process a maliciously crafted DICOM file containing deeply nested sequences that exceed normal nesting levels (around 50 or more). Such files cause the Orthanc server to crash due to a stack overflow.

A practical detection method involves using a Proof of Concept (PoC) script that generates a DICOM file with excessive nesting. This file can then be uploaded to the Orthanc server using a curl command to observe if the server crashes or becomes unresponsive.

  • Generate a malicious DICOM file with the PoC script that creates deeply nested sequences.
  • Upload the crafted DICOM file to the Orthanc server using a command like: curl -X POST --data-binary @malicious.dcm http://orthanc-server/instances

If the Orthanc server crashes or the civetweb HTTP worker thread experiences a segmentation fault, it indicates the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to deploy the patch provided by Orthanc that fixes this vulnerability. The patch introduces compile-time and runtime limits on the maximum allowed nesting depth of DICOM sequences to prevent stack overflow.

Specifically, update Orthanc to the version that includes changeset bae99026ca97 or later, which implements a maximum sequence nesting limit (defaulting to 64) and adds error handling when this limit is exceeded.

Additionally, ensure that the DCMTK library dependency is upgraded to version 3.7.0 or later with the hotfix addressing this issue.

Until the patch is applied, restrict local access to the Orthanc server to trusted users only, as the exploit requires local attack vector.

Compliance Impact

This vulnerability causes a Denial of Service (DoS) in Orthanc DICOM Server by crashing the server when processing maliciously crafted DICOM files with deeply nested sequences.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the vulnerability's impact on availability could affect compliance indirectly.

Specifically, Orthanc is used in clinical environments for patient imaging, and a DoS could disrupt access to medical images and patient data, potentially impacting the availability requirement of regulations like HIPAA.

However, there is no direct information provided about data confidentiality or integrity breaches, nor explicit references to regulatory compliance consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10528. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart