{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5438", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-04-02T19:21:58.543Z", "datePublished": "2026-04-09T14:44:05.375Z", "dateUpdated": "2026-04-14T16:34:26.623Z"}, "containers": {"cna": {"title": "Gzip Decompression Bomb via Content-Encoding Header", "descriptions": [{"lang": "en", "value": "A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Orthanc", "product": "DICOM Server", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.12.10", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "references": [{"url": "https://www.orthanc-server.com/"}, {"url": "https://www.machinespirits.de/"}, {"url": "https://kb.cert.org/vuls/id/536588"}], "x_generator": {"engine": "VINCE 3.0.35", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5438"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-09T14:44:05.375Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:13:20.018057Z", "id": "CVE-2026-5438", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:34:26.623Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-5438", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T15:13:20.018057Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:13:15.906Z"}}], "cna": {"title": "Gzip Decompression Bomb via Content-Encoding Header", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Orthanc", "product": "DICOM Server", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.12.10"}]}], "references": [{"url": "https://www.orthanc-server.com/"}, {"url": "https://www.machinespirits.de/"}, {"url": "https://kb.cert.org/vuls/id/536588"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.35", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5438"}, "descriptions": [{"lang": "en", "value": "A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-09T14:44:05.375Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5438", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:34:26.623Z", "dateReserved": "2026-04-02T19:21:58.543Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-04-09T14:44:05.375Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:orthanc-server:orthanc:*:*:*:*:*:*:*:*", "matchCriteriaId": "A259075D-8B77-4B04-BC42-3E5ABE9DFE1F", "versionEndExcluding": "1.12.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory."}], "id": "CVE-2026-5438", "lastModified": "2026-04-15T19:31:48.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-09T15:16:15.327", "references": [{"source": "cret@cert.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://kb.cert.org/vuls/id/536588"}, {"source": "cret@cert.org", "tags": ["Not Applicable"], "url": "https://www.machinespirits.de/"}, {"source": "cret@cert.org", "tags": ["Product"], "url": "https://www.orthanc-server.com/"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.12.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "DICOM Server", "source": "cna", "vendor": "Orthanc"}, "product": "dicom_server", "vendor": "orthanc"}], "analysis": {"en": {"generated_at": "2026-04-15T22:34:04.700597+00:00", "value": {"mitigation_remediation": ["Check the Orthanc vendor website for a patch or newer release that limits decompressed size.", "If no patch is available, configure the Orthanc service or a reverse proxy to reject HTTP requests that specify Content\u2011Encoding: gzip.", "Implement network\u2011level controls to limit memory usage or memory allocation on the host, such as cgroups or similar.", "Monitor server memory usage and application logs for abnormal spikes to detect attempted exploitation."], "summary": {"action": "Immediate Patch", "impact": "Memory Exhaustion"}, "threat_synthesis": {"affected_systems": "Orthanc DICOM Server. No specific product versions are listed in the available data.", "description_and_impact": "Orthanc DICOM Server can be tricked into allocating excessive memory when it processes an HTTP request that includes a 'Content-Encoding: gzip' header bearing a specially crafted, over\u2011compressed payload. The server trusts the gzip compression metadata to size the buffer, so the attacker can trigger an allocation that far exceeds the real payload size. This unchecked allocation flaw is a manifestation of CWE\u2011770 and can lead to memory exhaustion, potentially causing the service to become unresponsive or crash, thereby denying legitimate users access.", "risk_and_exploitability": "The configuration results in a CVSS score of 7.5, indicating a high\u2011severity vulnerability. The EPSS score is below 1\u202f%, and the issue is not currently in CISA\u2019s KEV catalog, suggesting that large\u2011scale or automated exploitation is unlikely at present. However, the attack path is straightforward: any external user can send an HTTP request with the Content\u2011Encoding header and an adversarial gzip body; no authentication or privileged context is required. Because the server does not check decompressed size, the exploit is reliable and can be launched remotely. System administrators should treat this with high urgency, following vendor guidance for a definitive fix when it becomes available."}}}}, "created": "2026-04-10T08:53:23.745803+00:00", "updated": "2026-04-15T22:45:16.431701+00:00", "vendors": ["orthanc", "orthanc$PRODUCT$dicom_server"]}