CVE-2026-5440 - Vulnerability Details

- Memory Exhaustion via Unbounded Content-Length

Description

A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.

Published: 2026-04-09

Score: 7.5 High

EPSS: 1.6% Low

KEV: No

Impact:

Action:

Analysis

Impact

A supplied HTTP request with an unbounded Content-Length header causes the Orthanc server to allocate memory based on the header value without any upper bound. Because the allocation is performed directly, a crafted request can exhaust available memory, leading to a crash or refusal to process further requests. This is a classic memory exhaustion flaw (CWE‑770) that can result in denial of service for all users of the affected DICOM server.

Affected Systems

Orthanc DICOM Server is affected. The CNA data does not specify a particular release, implying that the flaw may exist across multiple or all current releases. Administrators should verify their exact version against the official Orthanc documentation for remediation status.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, yet the EPSS score is 2%, suggesting a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation is possible remotely via an HTTP request that includes an extremely large Content-Length value, even without sending a body, which can trigger excessive memory allocation and terminate the server process, effectively denying service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Orthanc

DICOM Server

affected

Version	Status	Constraints
`0`	affected	≤ 1.12.10

Configuration 1 [-]

cpe:2.3:a:orthanc-server:orthanc:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Orthanc

Dicom Server

100%

Version	Status	Scheme	Platform
`[0,1.12.10]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Orthanc patch that mitigates the memory exhaustion vulnerability.
If a patch is not immediately available, configure a reverse proxy or firewall to enforce a maximum Content-Length header size.
Disable or restrict the HTTP endpoint that processes Content-Length headers if that service is not essential.
Regularly review server logs for abnormal Content-Length values and terminate any connections that exceed the allowed limit.
Restart the Orthanc service after applying any changes to ensure they are active.

Generated by OpenCVE AI on April 15, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01638.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://kb.cert.org/vuls/id/536588
https://www.machinespirits.de/
https://www.orthanc-server.com/

History

Wed, 15 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-400 CWE-789

Tue, 14 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Orthanc-server Orthanc-server orthanc
Weaknesses		CWE-770
CPEs		cpe:2.3:a:orthanc-server:orthanc::::::::
Vendors & Products		Orthanc-server Orthanc-server orthanc

Tue, 14 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 10 Apr 2026 10:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400 CWE-789

Fri, 10 Apr 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Orthanc Orthanc dicom Server
Vendors & Products		Orthanc Orthanc dicom Server

Thu, 09 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.
Title		Memory Exhaustion via Unbounded Content-Length
References		https://kb.cert.org/vuls/id/536588 https://www.machinespirits.de/ https://www.orthanc-server.com/

Subscriptions

Orthanc Dicom Server

Orthanc-server Orthanc

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2026-04-09T14:43:55.684Z

Updated: 2026-04-14T16:34:31.991Z

Reserved: 2026-04-02T19:22:26.410Z

Link: CVE-2026-5440

Vulnrichment

Updated: 2026-04-14T15:12:41.250Z

NVD

Status : Analyzed

Published: 2026-04-09T15:16:16.337

Modified: 2026-04-14T20:26:57.417

Link: CVE-2026-5440

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T19:45:12Z

Weaknesses

CWE-770

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object