Nine critical vulnerabilities have been identified in Orthanc, an open-source Digital Imaging and Communications in Medicine (DICOM) server widely used in healthcare and medical research. The flaws could allow attackers to crash systems, leak sensitive data, and potentially execute arbitrary code remotely.
According to an advisory from CERT Coordination Center, the vulnerabilities—tracked as CVE-2026-5437 to CVE-2026-5445—stem from inadequate input validation, missing security checks, and unsafe memory operations.
Orthanc, known for its lightweight architecture and ability to process and analyze medical images without complex infrastructure dependencies, is particularly exposed due to these flaws in its core parsing and decoding mechanisms.
Among the identified issues is an out-of-bounds read vulnerability in the meta-header parser, caused by insufficient validation of input data. Attackers could exploit this to access unintended memory regions.
Another significant flaw involves a GZIP decompression bomb, where the server allocates memory based on attacker-controlled metadata without enforcing limits. This could lead to memory exhaustion and service disruption. A similar issue exists in ZIP archive processing, where manipulated metadata can force the system to allocate excessively large buffers.
The HTTP server component is also affected, as it allocates memory directly based on user-supplied header values. Crafted requests with large values can trigger system crashes.
Further vulnerabilities include out-of-bounds read issues in proprietary compression formats and palette color image processing, potentially exposing sensitive memory data. In addition, multiple heap buffer overflow flaws in image decoding and parsing logic pose the most severe risk.
“These issues, particularly heap-based buffer overflows, could allow attackers to crash the process and, under certain conditions, achieve remote code execution,” the advisory noted.
All vulnerabilities impact Orthanc versions 1.12.10 and earlier. Users are strongly advised to upgrade to version 1.12.11, which includes fixes for these security defects.
The discovery underscores the growing importance of securing healthcare IT infrastructure, where vulnerabilities in imaging systems can have far-reaching implications for both data security and operational continuity.
