CVE-2026-5440

Published: Apr 9, 2026Modified: Apr 14, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.

Affected (1)

Products: Orthanc Server: Orthanc

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Orthanc Server Orthanc	Before 1.12.11

Related CWEs

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (3)

https://kb.cert.org/vuls/id/536588

Source: cret@cert.org

Third Party AdvisoryVDB Entry

https://www.machinespirits.de/

Source: cret@cert.org

Not Applicable

https://www.orthanc-server.com/

Source: cret@cert.org

Product

Timeline

No history available yet.