NINE vulnerabilities in the open source DICOM server Orthanc have been disclosed, tracked as CVE-2026-5437 to CVE-2026-5445, and could be exploited to crash servers, leak data, and potentially achieve remote code execution. The defects stem from insufficient validation of metadata, missing checks, and unsafe arithmetic in various components, with the most severe described as heap-based buffer overflows in image parsing and decoding logic.
The flaws include an out-of-bounds read in the meta-header parser, a GZIP decompression bomb, a memory-exhaustion issue in ZIP archive handling, and an HTTP server that allocates memory based on untrusted header values, all of which can lead to crashes or data leakage. Additional issues affect the Philips Compression format decoder, the Palette Colour image decoding, and PAM image parsing, each enabling out-of-bounds memory access under crafted inputs.
CERT/CC notes that these could enable remote code execution under certain conditions, and Orthanc versions 1.12.10 and earlier are affected, with a fix available in version 1.12.11. The discoveries were made by researchers at Machine Spirits, according to advisory notes. © Written by Ionut Arghire, 10 April 2026.