{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5444", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-04-02T19:23:20.072Z", "datePublished": "2026-04-09T14:42:30.696Z", "dateUpdated": "2026-04-14T16:34:57.706Z"}, "containers": {"cna": {"title": "Heap Buffer Overflow in PAM Image Buffer Allocation", "descriptions": [{"lang": "en", "value": "A heap buffer overflow vulnerability exists in the PAM image parsing logic. When Orthanc processes a crafted PAM image embedded in a DICOM file, image dimensions are multiplied using 32-bit unsigned arithmetic. Specially chosen values can cause an integer overflow during buffer size calculation, resulting in the allocation of a small buffer followed by a much larger write operation during pixel processing."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Orthanc", "product": "DICOM Server", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.12.10", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-190 Integer Overflow or Wraparound"}]}], "references": [{"url": "https://www.orthanc-server.com/"}, {"url": "https://www.machinespirits.de/"}, {"url": "https://kb.cert.org/vuls/id/536588"}], "x_generator": {"engine": "VINCE 3.0.35", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5444"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-09T14:42:30.696Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:08:02.200164Z", "id": "CVE-2026-5444", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:34:57.706Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-5444", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T15:08:02.200164Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:07:57.475Z"}}], "cna": {"title": "Heap Buffer Overflow in PAM Image Buffer Allocation", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Orthanc", "product": "DICOM Server", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.12.10"}]}], "references": [{"url": "https://www.orthanc-server.com/"}, {"url": "https://www.machinespirits.de/"}, {"url": "https://kb.cert.org/vuls/id/536588"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.35", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5444"}, "descriptions": [{"lang": "en", "value": "A heap buffer overflow vulnerability exists in the PAM image parsing logic. When Orthanc processes a crafted PAM image embedded in a DICOM file, image dimensions are multiplied using 32-bit unsigned arithmetic. Specially chosen values can cause an integer overflow during buffer size calculation, resulting in the allocation of a small buffer followed by a much larger write operation during pixel processing."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-190 Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-09T14:42:30.696Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5444", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:34:57.706Z", "dateReserved": "2026-04-02T19:23:20.072Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-04-09T14:42:30.696Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:orthanc-server:orthanc:*:*:*:*:*:*:*:*", "matchCriteriaId": "A259075D-8B77-4B04-BC42-3E5ABE9DFE1F", "versionEndExcluding": "1.12.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A heap buffer overflow vulnerability exists in the PAM image parsing logic. When Orthanc processes a crafted PAM image embedded in a DICOM file, image dimensions are multiplied using 32-bit unsigned arithmetic. Specially chosen values can cause an integer overflow during buffer size calculation, resulting in the allocation of a small buffer followed by a much larger write operation during pixel processing."}], "id": "CVE-2026-5444", "lastModified": "2026-04-14T20:20:10.767", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-09T15:16:16.760", "references": [{"source": "cret@cert.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://kb.cert.org/vuls/id/536588"}, {"source": "cret@cert.org", "tags": ["Not Applicable"], "url": "https://www.machinespirits.de/"}, {"source": "cret@cert.org", "tags": ["Product"], "url": "https://www.orthanc-server.com/"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.12.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "DICOM Server", "source": "cna", "vendor": "Orthanc"}, "product": "dicom_server", "vendor": "orthanc"}], "analysis": {"en": {"generated_at": "2026-04-15T22:35:14.540510+00:00", "value": {"mitigation_remediation": ["Apply the latest Orthanc patch or upgrade to a version that resolves the PAM image parsing flaw. ", "If a patch is unavailable, restrict network access to the Orthanc server so that only trusted hosts can submit DICOM files. ", "Disable the PAM image support feature if it is not required, or enforce stricter input validation for incoming files. "], "summary": {"action": "Patch", "impact": "Heap Buffer Overflow"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Orthanc DICOM Server, specifically any release that supports PAM image parsing. No particular version range is provided, so all installations with PAM handling should be considered vulnerable until a patch is applied.", "description_and_impact": "Orthanc\u2019s DICOM server can overflow a heap buffer when it processes a carefully crafted PAM image embedded in a DICOM file. The server multiplies the image\u2019s width and height using 32\u2011bit unsigned arithmetic; if these values are chosen to trigger an integer overflow, the computed buffer size becomes smaller than the actual number of pixels that will be written. The write operation then exceeds the allocated memory, corrupting heap data and potentially leading to unpredictable execution, denial of service, or arbitrary code execution.", "risk_and_exploitability": "The flaw carries a CVSS score of 7.1, indicating high severity. The estimated EPSS score is less than 1%, suggesting a low likelihood of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. Orthanc normally receives DICOM files over a network connection, so a remote attacker who can supply a malicious file could trigger the overflow. Because the overflow can corrupt memory and may allow arbitrary code execution, the potential impact is significant, even if the chance of exploitation remains modest at present."}}}}, "created": "2026-04-10T08:53:28.731209+00:00", "updated": "2026-04-15T22:45:16.433866+00:00", "vendors": ["orthanc", "orthanc$PRODUCT$dicom_server"]}