Executive Summary

Critical vulnerabilities have been identified in Orthanc, the widely adopted open-source DICOM server used for medical imaging workflows across healthcare and research environments. These vulnerabilities, present in all versions up to and including 1.12.10, enable attackers to crash servers, exhaust system memory, leak sensitive information, and in certain scenarios, achieve remote code execution (RCE). The root causes include unsafe arithmetic operations, missing bounds checks, and insufficient validation of attacker-controlled metadata within DICOM files and HTTP requests. Given the prevalence of Orthanc in healthcare infrastructure and the sensitive nature of medical imaging data, these flaws represent a substantial risk to operational continuity and patient privacy. Immediate action is required: all users are strongly advised to upgrade to Orthanc version 1.12.11 or later to mitigate these threats.

Technical Information

The vulnerabilities in Orthanc stem from a combination of memory safety issues and logic errors in the parsing and processing of DICOM files and related image formats. Attackers can exploit these flaws by submitting specially crafted DICOM files or HTTP requests to a vulnerable Orthanc server, either over the network or via authenticated upload mechanisms.

The most critical vulnerabilities include:

CVE-2026-5442 describes a heap buffer overflow in the DICOM image decoder. The vulnerability arises when dimension fields are encoded as VR UL (Unsigned Long) instead of the expected VR US (Unsigned Short). This allows an attacker to specify extremely large image dimensions, which can cause integer overflows and result in out-of-bounds memory access during image decoding. Successful exploitation can lead to server crashes, information disclosure, or arbitrary code execution, depending on the attacker’s skill and the system’s configuration. The technical advisory from Machine Spirits UG details how this flaw can be triggered by manipulating DICOM metadata, bypassing standard validation routines.

CVE-2026-5444 affects the PAM image parsing logic within Orthanc. Here, a crafted PAM image embedded in a DICOM file can exploit 32-bit integer arithmetic errors, causing an undersized memory allocation. Subsequent image processing operations then write data beyond the allocated buffer, resulting in a heap buffer overflow. This can be leveraged to crash the server or, in advanced attack scenarios, execute arbitrary code.

CVE-2026-5438, CVE-2026-5439, and CVE-2026-5440 are memory exhaustion vulnerabilities. Attackers can submit gzip decompression bombs, ZIP archives with forged metadata, or HTTP requests with unbounded Content-Length headers. These payloads force Orthanc to allocate excessive memory, leading to denial-of-service conditions with minimal attacker effort.

Other vulnerabilities, such as CVE-2026-5437, CVE-2026-5441, CVE-2026-5443, and CVE-2026-5445, involve out-of-bounds reads and heap buffer overflows in various image decoding routines, including PALETTE COLOR DICOM images and lookup table decoding. These issues can result in information disclosure, server instability, and potential code execution.

The attack surface is broad: any Orthanc instance exposed to untrusted networks or accepting DICOM uploads from external sources is at risk. Malicious DICOM files may persist in storage and trigger exploitation during routine processing, compounding the threat. The vulnerabilities are rated as high severity, with CVSS scores reaching up to 8.8.

Exploitation in the Wild

As of the latest open-source intelligence and vendor advisories, there are no confirmed reports of active exploitation or publicly available proof-of-concept (PoC) code targeting these specific Orthanc vulnerabilities. SecurityWeek, CERT/CC, and Machine Spirits UG have not observed exploitation by threat actors in the wild. However, historical precedent shows that previous Orthanc vulnerabilities have been targeted for denial-of-service and data exposure attacks. Given the criticality and ease of exploitation, it is plausible that attackers will attempt to weaponize these flaws, especially if unpatched systems remain accessible on the internet or within healthcare networks.

Indicators of compromise include unexpected server crashes or restarts following the receipt of DICOM files from untrusted sources, unexplained spikes in memory usage, and log entries indicating heap corruption or out-of-bounds memory access. The presence of malformed DICOM files with oversized dimensions or embedded PAM images should be treated as a red flag for attempted exploitation.

APT Groups using this vulnerability

At this time, there is no evidence from open sources, threat intelligence feeds, or vendor advisories that any Advanced Persistent Threat (APT) groups or organized cybercriminal actors are actively exploiting these Orthanc vulnerabilities. No sector- or country-specific targeting has been reported. The vulnerabilities are, however, highly attractive to both opportunistic and targeted attackers due to the potential for remote code execution and the sensitive nature of medical imaging data. Healthcare organizations, research institutions, and any entity operating Orthanc servers should remain vigilant, as the threat landscape can evolve rapidly once exploit code becomes available.

Affected Product Versions

All versions of Orthanc DICOM Server up to and including 1.12.10 are affected by these vulnerabilities. This is confirmed by advisories from SecurityWeek, News4Hackers, and the National Vulnerability Database (NVD). Users must upgrade to Orthanc version 1.12.11 or later to ensure all known vulnerabilities are addressed.

Workaround and Mitigation

The primary mitigation is to upgrade Orthanc to version 1.12.11 or later, as this release contains patches for all known vulnerabilities. In addition to patching, organizations should restrict upload and image processing endpoints to trusted users and networks, minimizing exposure to untrusted sources. Network segmentation and firewall rules should be employed to limit access to Orthanc servers, especially in healthcare environments where sensitive data is processed. Administrators should monitor server logs for abnormal crashes, memory exhaustion events, or the presence of malformed DICOM files. Regular vulnerability scanning and penetration testing are recommended to identify and remediate any residual exposure. Where immediate patching is not feasible, disabling DICOM file uploads from untrusted sources and enforcing strict input validation can reduce risk, though these are not substitutes for applying the official security update.

References

CERT/CC Vulnerability Note VU#536588: https://kb.cert.org/vuls/id/536588 NVD Entry for CVE-2026-5442: https://nvd.nist.gov/vuln/detail/CVE-2026-5442 Machine Spirits Advisory: Heap Buffer Overflow in PAM Image Buffer Allocation (CVE-2026-5444): https://www.machinespirits.com/advisory/b7ced5/ Machine Spirits Advisory: Heap Buffer Overflow in DICOM Image Decoder via VR UL Dimensions (CVE-2026-5442): https://www.machinespirits.com/advisory/615070/ Orthanc Official Website: https://www.orthanc-server.com/ SecurityWeek: Orthanc DICOM Vulnerabilities Lead to Crashes, RCE: https://www.securityweek.com/orthanc-dicom-vulnerabilities-lead-to-crashes-rce/ News4Hackers: Orthanc DICOM Vulnerabilities Expose System to Crashes and Remote Code Execution: https://www.news4hackers.com/orthanc-dicom-vulnerabilities-expose-system-to-crashes-and-remote-code-execution/

Rescana is here for you

At Rescana, we understand the critical importance of securing your digital supply chain and third-party risk landscape. Our advanced TPRM platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their vendor ecosystem. While this advisory focuses on Orthanc vulnerabilities, our solutions are designed to help you proactively identify and address emerging threats across all your critical assets. If you have any questions about this advisory or require assistance with your cybersecurity posture, our team is ready to help. Please contact us at ops@rescana.com.