CVE-2026-5438

Published: Apr 9, 2026Modified: Apr 15, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.

Affected (1)

Products: Orthanc Server: Orthanc

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Orthanc Server Orthanc	Before 1.12.11

Related CWEs

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (3)

https://kb.cert.org/vuls/id/536588

Source: cret@cert.org

Third Party AdvisoryVDB Entry

https://www.machinespirits.de/

Source: cret@cert.org

Not Applicable

https://www.orthanc-server.com/

Source: cret@cert.org

Product

Timeline

No history available yet.