[Debian-med-packaging] Bug#1133182: orthanc: CVE-2026-5437 CVE-2026-5438 CVE-2026-5439 CVE-2026-5440 CVE-2026-5441 CVE-2026-5442 CVE-2026-5443 CVE-2026-5444 CVE-2026-5445
Salvatore Bonaccorso
carnil at debian.org
Fri Apr 10 19:48:39 BST 2026
Source: orthanc
Version: 1.12.10+dfsg-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerabilities were published for orthanc.
CVE-2026-5437[0]:
| An out-of-bounds read vulnerability exists in `DicomStreamReader`
| during DICOM meta-header parsing. When processing malformed metadata
| structures, the parser may read beyond the bounds of the allocated
| metadata buffer. Although this issue does not typically crash the
| server or expose data directly to the attacker, it reflects
| insufficient input validation in the parsing logic.
CVE-2026-5438[1]:
| A gzip decompression bomb vulnerability exists when Orthanc
| processes HTTP request with `Content-Encoding: gzip`. The server
| does not enforce limits on decompressed size and allocates memory
| based on attacker-controlled compression metadata. A specially
| crafted gzip payload can trigger excessive memory allocation and
| exhaust system memory.
CVE-2026-5439[2]:
| A memory exhaustion vulnerability exists in ZIP archive processing.
| Orthanc automatically extracts ZIP archives uploaded to certain
| endpoints and trusts metadata fields describing the uncompressed
| size of archived files. An attacker can craft a small ZIP archive
| containing a forged size value, causing the server to allocate
| extremely large buffers during extraction.
CVE-2026-5440[3]:
| A memory exhaustion vulnerability exists in the HTTP server due to
| unbounded use of the `Content-Length` header. The server allocates
| memory directly based on the attacker supplied header value without
| enforcing an upper limit. A crafted HTTP request containing an
| extremely large `Content-Length` value can trigger excessive memory
| allocation and server termination, even without sending a request
| body.
CVE-2026-5441[4]:
| An out-of-bounds read vulnerability exists in the `DecodePsmctRle1`
| function of `DicomImageDecoder.cpp`. The `PMSCT_RLE1` decompression
| routine, which decodes the proprietary Philips Compression format,
| does not properly validate escape markers placed near the end of the
| compressed data stream. A crafted sequence at the end of the buffer
| can cause the decoder to read beyond the allocated memory region and
| leak heap data into the rendered image output.
CVE-2026-5442[5]:
| A heap buffer overflow vulnerability exists in the DICOM image
| decoder. Dimension fields are encoded using Value Representation
| (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short
| (US), which allows extremely large dimensions to be processed. This
| causes an integer overflow during frame size calculation and results
| in out-of-bounds memory access during image decoding.
CVE-2026-5443[6]:
| A heap buffer overflow vulnerability exists during the decoding of
| `PALETTE COLOR` DICOM images. Pixel length validation uses 32-bit
| multiplication for width and height calculations. If these values
| overflow, the validation check incorrectly succeeds, allowing the
| decoder to read and write to memory beyond allocated buffers.
CVE-2026-5444[7]:
| A heap buffer overflow vulnerability exists in the PAM image parsing
| logic. When Orthanc processes a crafted PAM image embedded in a
| DICOM file, image dimensions are multiplied using 32-bit unsigned
| arithmetic. Specially chosen values can cause an integer overflow
| during buffer size calculation, resulting in the allocation of a
| small buffer followed by a much larger write operation during pixel
| processing.
CVE-2026-5445[8]:
| An out-of-bounds read vulnerability exists in the
| `DecodeLookupTable` function within `DicomImageDecoder.cpp`. The
| lookup-table decoding logic used for `PALETTE COLOR` images does not
| validate pixel indices against the lookup table size. Crafted images
| containing indices larger than the palette size cause the decoder to
| read beyond allocated lookup table memory and expose heap contents
| in the output image.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-5437
https://www.cve.org/CVERecord?id=CVE-2026-5437
[1] https://security-tracker.debian.org/tracker/CVE-2026-5438
https://www.cve.org/CVERecord?id=CVE-2026-5438
[2] https://security-tracker.debian.org/tracker/CVE-2026-5439
https://www.cve.org/CVERecord?id=CVE-2026-5439
[3] https://security-tracker.debian.org/tracker/CVE-2026-5440
https://www.cve.org/CVERecord?id=CVE-2026-5440
[4] https://security-tracker.debian.org/tracker/CVE-2026-5441
https://www.cve.org/CVERecord?id=CVE-2026-5441
[5] https://security-tracker.debian.org/tracker/CVE-2026-5442
https://www.cve.org/CVERecord?id=CVE-2026-5442
[6] https://security-tracker.debian.org/tracker/CVE-2026-5443
https://www.cve.org/CVERecord?id=CVE-2026-5443
[7] https://security-tracker.debian.org/tracker/CVE-2026-5444
https://www.cve.org/CVERecord?id=CVE-2026-5444
[8] https://security-tracker.debian.org/tracker/CVE-2026-5445
https://www.cve.org/CVERecord?id=CVE-2026-5445
[9] https://kb.cert.org/vuls/id/536588
Regards,
Salvatore
More information about the Debian-med-packaging
mailing list