Description
A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.
Published: 2026-04-09
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A gzip decompression bomb vulnerability exists when Orthanc processes HTTP requests with a Content-Encoding header set to gzip. The server does not enforce limits on the decompressed size and allocates memory based on attacker‑controlled compression metadata. An attacker can craft a gzip payload that causes the server to allocate excessive memory, eventually exhausting system memory or crashing the service. This results in a denial of service to all users of the DICOM server. The weakness corresponds to uncontrolled resource consumption (CWE‑770).

Affected Systems

Orthanc DICOM Server is the affected product. No specific affected versions are listed in the CVE, so all installations that accept gzip‑encoded requests may be vulnerable until patched or disabled.

Risk and Exploitability

The vulnerability is remotely exploitable via HTTP traffic by sending a malicious gzip payload. While CVSS and EPSS scores are not available, a memory exhaustion attack can have a high operational impact if the server is reachable from an attacker, potentially causing prolonged downtime. The absence from the CISA KEV list suggests no known active exploitation yet, but the exploitability remains significant due to the simplicity of the attack vector.

Generated by OpenCVE AI on April 9, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Orthanc patch or upgrade to a version that limits decompressed memory.
  • Configure Orthanc Content‑Encoding: gzip headers if gzip support is not required.
  • Restrict memory usage at the operating system or container level to mitigate large allocation attempts.
  • Deploy a web application firewall to filter oversized gzip requests.
  • Monitor system memory and set alerts for abnormal usage patterns.

Generated by OpenCVE AI on April 9, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Orthanc
Orthanc dicom Server
Vendors & Products Orthanc
Orthanc dicom Server

Thu, 09 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.
Title Gzip Decompression Bomb via Content-Encoding Header
References

Subscriptions

Orthanc Dicom Server
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-04-09T14:44:05.375Z

Reserved: 2026-04-02T19:21:58.543Z

Link: CVE-2026-5438

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T15:16:15.327

Modified: 2026-04-09T15:16:15.327

Link: CVE-2026-5438

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:36Z

Weaknesses