CVE-2026-5442

CRITICAL 9.8

Heap Buffer Overflow in DICOM Image Decoder via VR UL Dimensions

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding.

Vendor	orthanc
Product	dicom server
Published	Apr 9, 2026
Last Updated	Apr 14, 2026

Stay Ahead of the Next One

Get instant alerts for orthanc dicom server

Be the first to know when new critical vulnerabilities affecting orthanc dicom server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Orthanc / DICOM Server

0 ≤ 1.12.10

References

NVD ↗ CVE.org ↗ EPSS Data ↗

orthanc-server.com: https://www.orthanc-server.com/ machinespirits.de: https://www.machinespirits.de/ kb.cert.org: https://kb.cert.org/vuls/id/536588