CVE-2026-5439 Overview
A memory exhaustion vulnerability exists in Orthanc's ZIP archive processing functionality. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction, leading to denial of service conditions.
Critical Impact
This vulnerability allows remote attackers to exhaust server memory resources by uploading maliciously crafted ZIP archives, potentially causing service disruption for medical imaging systems.
Affected Products
- Orthanc Server (versions not specified)
Discovery Timeline
- 2026-04-09 - CVE-2026-5439 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-5439
Vulnerability Analysis
This vulnerability falls into the category of Memory Exhaustion, a type of Denial of Service (DoS) attack. The core issue stems from Orthanc's implicit trust in metadata contained within ZIP archives during the extraction process. When processing uploaded archives, the server reads the declared uncompressed file size from the ZIP header without validating whether this size is reasonable or accurate.
The Orthanc DICOM server is widely used in medical imaging environments for storing, managing, and sharing medical images. Its REST API accepts ZIP archive uploads for bulk data import operations. The vulnerable code path trusts the size fields in ZIP local file headers and central directory entries, allocating memory buffers based on these attacker-controlled values.
Root Cause
The root cause of this vulnerability is improper input validation of ZIP archive metadata. Specifically, the application fails to validate the declared uncompressed size of files within a ZIP archive before allocating memory buffers. ZIP archives contain metadata fields that specify the compressed and uncompressed sizes of each archived file. A malicious actor can craft a ZIP archive where these declared sizes are significantly larger than the actual data, creating what is commonly known as a "ZIP bomb" variant.
When Orthanc processes such an archive, it attempts to allocate memory based on the forged size values rather than implementing progressive extraction with size limits. This design flaw allows a small uploaded file to trigger allocation of gigabytes of memory on the server.
Attack Vector
The attack can be executed remotely by any user with access to upload ZIP archives to the Orthanc server. The attacker crafts a small ZIP archive (potentially just a few kilobytes) with manipulated header fields declaring an extremely large uncompressed size. Upon upload to the vulnerable endpoint, the server attempts to allocate memory buffers matching the declared size.
The attack does not require authentication in default configurations and can be triggered through standard HTTP POST requests to the archive upload endpoints. Multiple concurrent malicious uploads could accelerate memory exhaustion and service disruption.
For technical details on exploitation, see the CERT Vulnerability Advisory #536588.
Detection Methods for CVE-2026-5439
Indicators of Compromise
- Unusual memory consumption spikes on Orthanc server processes during ZIP upload operations
- Multiple failed or slow uploads of small ZIP files followed by out-of-memory errors in application logs
- Server crashes or restarts coinciding with archive upload requests
- Abnormal ratios between uploaded file sizes and declared uncompressed sizes in request logs
Detection Strategies
- Monitor memory utilization patterns on systems running Orthanc, alerting on rapid consumption increases
- Implement network-level inspection to identify ZIP archives with suspicious declared-to-actual size ratios
- Review Orthanc server logs for memory allocation failures or out-of-memory conditions
- Deploy file upload validators that verify ZIP header integrity before passing to the application
Monitoring Recommendations
- Configure memory usage alerts for Orthanc processes with thresholds below system limits
- Implement logging for all ZIP archive uploads including file sizes and source addresses
- Monitor for repeated upload attempts from single sources that may indicate attack attempts
- Enable resource usage monitoring at the container or process level for early detection
How to Mitigate CVE-2026-5439
Immediate Actions Required
- Restrict access to ZIP upload endpoints to trusted users or networks only
- Implement upload size limits at the web server or reverse proxy level
- Consider temporarily disabling ZIP archive upload functionality if not critical to operations
- Monitor server memory utilization and configure process resource limits
Patch Information
Consult the Orthanc Server Official Site for the latest security updates and patched versions. Review the CERT Vulnerability Advisory #536588 for additional remediation guidance.
Workarounds
- Deploy a reverse proxy that validates ZIP archives before forwarding to Orthanc, rejecting files with suspicious declared sizes
- Implement operating system or container-level memory limits (cgroups) to prevent complete system exhaustion
- Configure firewall rules to restrict access to upload endpoints from untrusted networks
- Enable authentication requirements for all archive upload operations if not already configured
Administrators should implement resource constraints at the system level as a defense-in-depth measure:
# Configuration example
# Example: Limit Orthanc process memory using systemd
# Add to /etc/systemd/system/orthanc.service.d/override.conf
[Service]
MemoryLimit=4G
MemoryMax=4G
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
