CVE-2026-5439

Published: Apr 9, 2026Modified: Apr 15, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.

Affected (1)

Products: Orthanc Server: Orthanc

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Orthanc Server Orthanc	Before 1.12.11

Related CWEs

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (3)

https://kb.cert.org/vuls/id/536588

Source: cret@cert.org

Third Party AdvisoryVDB Entry

https://www.machinespirits.de/

Source: cret@cert.org

Not Applicable

https://www.orthanc-server.com/

Source: cret@cert.org

Product

Timeline

No history available yet.