CVE-2026-10528 Overview
CVE-2026-10528 is a stack-based buffer overflow vulnerability in Orthanc DICOM Server versions up to 1.12.11. The flaw resides in the DcmItem::read function within OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp, part of the DCMTK Parser component. An attacker with local access and low privileges can manipulate DICOM input to trigger memory corruption on the stack. The exploit has been publicly disclosed, increasing the likelihood of attempted use against unpatched installations. The maintainers have released a fix identified by patch revision bae99026ca97. The vulnerability is tracked under [CWE-119] for improper restriction of operations within the bounds of a memory buffer.
Critical Impact
Local attackers can trigger a stack-based buffer overflow in the DCMTK Parser, potentially causing denial of service in DICOM medical imaging workloads.
Affected Products
- Orthanc DICOM Server versions up to and including 1.12.11
- Orthanc Framework component FromDcmtkBridge.cpp
- DCMTK Parser integration within Orthanc
Discovery Timeline
- 2026-06-02 - CVE-2026-10528 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-10528
Vulnerability Analysis
The vulnerability exists in the DcmItem::read function used by Orthanc to parse DICOM (Digital Imaging and Communications in Medicine) data through the DCMTK toolkit bridge. When the parser processes a malformed DICOM item, the function writes beyond the bounds of a fixed-size stack buffer. This stack-based buffer overflow [CWE-119] can corrupt adjacent stack memory, including saved return addresses and local variables.
The attack vector is local, meaning the adversary must already have access to the host or be able to supply input that the local Orthanc process consumes. The required privileges are low, and no user interaction is needed. While the vendor-assigned impact reflects limited availability impact only, public release of exploit details raises the operational risk for healthcare environments running unpatched instances.
Root Cause
The root cause is insufficient bounds checking when DcmItem::read parses tag length fields and element data from DICOM input. Crafted length values cause the function to copy more bytes than the destination stack buffer can hold. The patch at revision bae99026ca97 introduces the necessary length validation before the read operation proceeds.
Attack Vector
An attacker with local access supplies a malformed DICOM file or stream to the Orthanc DCMTK parsing path. When DcmItem::read processes the crafted item, the stack buffer overflows. The most reliable outcome is process crash and denial of service. Exploitation for code execution depends on platform mitigations such as stack canaries, ASLR, and DEP. See the Orthanc Bug Report and the Orthanc Code Revision for technical details. No verified public proof-of-concept code is included here.
Detection Methods for CVE-2026-10528
Indicators of Compromise
- Unexpected crashes or segmentation faults in the Orthanc service process during DICOM ingestion
- Core dumps referencing DcmItem::read or FromDcmtkBridge.cpp in the stack trace
- Anomalous DICOM files with malformed item length fields submitted to local ingestion paths
Detection Strategies
- Monitor Orthanc service logs for parser errors, abnormal terminations, and restart loops tied to DICOM uploads
- Inspect DICOM inputs for oversized or inconsistent element length fields prior to parsing
- Correlate process crash events on hosts running Orthanc with recent file write activity in DICOM ingestion directories
Monitoring Recommendations
- Enable verbose Orthanc logging and forward logs to a centralized analytics platform for parser-error pattern detection
- Track integrity and provenance of DICOM files placed in watched folders or submitted via local APIs
- Alert on repeated Orthanc process restarts or non-zero exit codes on imaging servers
How to Mitigate CVE-2026-10528
Immediate Actions Required
- Upgrade Orthanc to a release that includes patch revision bae99026ca97 or later
- Restrict local access to systems running Orthanc to trusted operators and service accounts only
- Validate and sanitize DICOM inputs before they reach the Orthanc parser, especially from untrusted sources
Patch Information
The Orthanc maintainers committed the fix as revision bae99026ca97. The patch corrects bounds handling in the DcmItem::read code path used through FromDcmtkBridge.cpp. Administrators should rebuild or reinstall Orthanc from a release containing this revision. Refer to the Orthanc Code Revision for the exact source-level change.
Workarounds
- Limit filesystem and API access to the Orthanc host so only authorized local users can submit DICOM data
- Place Orthanc behind a hardened ingestion proxy that performs DICOM structural validation before forwarding
- Run the Orthanc service under a least-privilege account and within a sandbox or container to contain the impact of a crash
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
