Description
A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.
Published: 2026-04-09
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Memory Exhaustion
Action: Assess Impact
AI Analysis

Impact

A request handling flaw in the Orthanc DICOM Server’s HTTP component allows an adversary to set an arbitrarily large Content-Length header. The server allocates memory proportional to the header value without any cap, meaning that a crafted request can cause excessive memory consumption and terminate the server even if the request body is omitted. The consequence is a loss of availability; the server becomes unresponsive and must be restarted, but no data is directly disclosed or corrupted.

Affected Systems

The Orthanc DICOM Server is the affected product. No specific version range is listed in the CNA data, so the vulnerability may apply to any unsupported or older releases of Orthanc that still use the default HTTP server handling. Users should verify their installed version against Orthanc release notes for any mention of this issue.

Risk and Exploitability

The Common Vulnerability Scoring System score is not provided, and EPSS data is unavailable, so exact numerical risk cannot be calculated from the source. The issue is not listed in the CISA KEV catalog, indicating no known widespread exploitation. Nevertheless, the lack of bounds on memory allocation makes the vulnerability highly exploitable; an attacker merely needs to send a single HTTP request with a large Content-Length, a technique that can be automated or performed manually. Because the flaw leads to denial of service, it poses a significant operational threat to any system hosting Orthanc and exposing the HTTP interface.

Generated by OpenCVE AI on April 9, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Orthanc Server update if a patch is released by the vendor.
  • Configure a reverse proxy or load balancer to reject or truncate requests with Content-Length values beyond a safe threshold.
  • If the server configuration provides a maximum request size setting, enable or increase it to a reasonable limit.
  • Continuously monitor server memory usage and restart the service gracefully if high consumption is detected.

Generated by OpenCVE AI on April 9, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
CWE-789

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Orthanc
Orthanc dicom Server
Vendors & Products Orthanc
Orthanc dicom Server

Thu, 09 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.
Title Memory Exhaustion via Unbounded Content-Length
References

Subscriptions

Orthanc Dicom Server
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-04-09T14:43:55.684Z

Reserved: 2026-04-02T19:22:26.410Z

Link: CVE-2026-5440

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T15:16:16.337

Modified: 2026-04-09T15:16:16.337

Link: CVE-2026-5440

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:37Z

Weaknesses