Nine critical vulnerabilities have been identified in Orthanc, an open-source Digital Imaging and Communications in Medicine (DICOM) server, potentially allowing attackers to crash systems, access sensitive data, and execute code remotely.
Orthanc is widely used in healthcare for the automated analysis of medical images, operating as a standalone server without the need for complex database management or additional third-party software. However, recent findings by researchers at Machine Spirits have uncovered several security flaws.
Details of the Discovered Vulnerabilities
The vulnerabilities, which are cataloged from CVE-2026-5437 to CVE-2026-5445, stem from insufficient metadata validation, lack of necessary checks, and unsafe arithmetic operations, according to the CERT Coordination Center (CERT/CC) advisory.
Among these, the first issue involves an out-of-bounds read in the meta-header parser due to inadequate input validation. Another significant flaw is a GZIP decompression bomb vulnerability, where unregulated decompressed data size can lead to memory exhaustion.
Security Risks and Exploitation Methods
Furthermore, a similar memory exhaustion problem exists in ZIP archive processing, where the system overly trusts metadata on file sizes. Attackers could exploit this by manipulating size values to cause excessive memory allocation.
The server’s HTTP handler also poses a risk, as it assigns memory based on user-provided header values, potentially enabling attackers to send requests with oversized length values, leading to service termination.
An additional out-of-bounds read issue affects Orthanc’s decompression routine for Philips Compression format, risking data leakage into image outputs.
Recommendations for Mitigating Risks
Three additional vulnerabilities involve heap buffer overflows impacting the image decoder and color image parsing logic. These flaws could result in unauthorized memory access and potentially enable remote code execution (RCE), as emphasized by the CERT/CC advisory.
Orthanc versions up to 1.12.10 are impacted by these vulnerabilities. Users are strongly advised to upgrade to version 1.12.11, which patches these security issues.
The researchers at Machine Spirits have documented their findings in detailed advisories, urging users to take immediate action to secure their systems.
For more information on related vulnerabilities, refer to advisories on issues like the Marimo flaw and the OpenSSL data leakage vulnerability.
