CVE-2026-5444 Overview
A heap buffer overflow vulnerability exists in the PAM image parsing logic of Orthanc DICOM server. When Orthanc processes a crafted PAM image embedded in a DICOM file, image dimensions are multiplied using 32-bit unsigned arithmetic. Specially chosen values can cause an integer overflow during buffer size calculation, resulting in the allocation of a small buffer followed by a much larger write operation during pixel processing.
Critical Impact
Attackers can exploit this integer overflow to trigger heap corruption, potentially leading to remote code execution or denial of service on medical imaging systems running Orthanc DICOM server.
Affected Products
- Orthanc DICOM Server (versions unspecified)
Discovery Timeline
- 2026-04-09 - CVE-2026-5444 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-5444
Vulnerability Analysis
This vulnerability combines an integer overflow with a heap buffer overflow, making it a particularly dangerous memory corruption issue. The PAM (Portable Arbitrary Map) image format parser in Orthanc does not properly validate image dimensions before performing arithmetic operations to calculate required buffer sizes.
When processing DICOM files containing embedded PAM images, Orthanc multiplies width, height, and depth values to determine how much memory to allocate for pixel data. Using 32-bit unsigned arithmetic, carefully crafted dimension values can wrap around the 32-bit boundary, resulting in a calculated buffer size significantly smaller than what is actually needed.
The subsequent pixel processing routine then writes image data into this undersized buffer, causing heap memory corruption. This overflow can overwrite adjacent heap metadata or other objects, creating opportunities for arbitrary code execution through heap exploitation techniques.
Root Cause
The root cause is insufficient validation of image dimensions combined with improper use of 32-bit arithmetic for buffer size calculations. When multiplying large dimension values (width × height × channels × bytes-per-sample), the result can exceed the maximum 32-bit unsigned integer value (4,294,967,295), causing it to wrap around to a much smaller number.
For example, if an attacker specifies dimensions that result in a multiplication of approximately 2^33 bytes, the 32-bit result would wrap to a value near zero plus the overflow remainder, leading to allocation of a tiny buffer while the actual pixel data size remains enormous.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious DICOM file containing a PAM image with specially calculated dimensions. When this file is uploaded to or processed by a vulnerable Orthanc server, the integer overflow occurs during buffer allocation, followed by heap corruption during pixel data processing.
The attack requires the ability to submit DICOM files to the Orthanc server, which is a common operation in medical imaging workflows. This could be accomplished through:
- Direct upload via the Orthanc REST API
- DICOM C-STORE operations from a compromised or malicious imaging device
- Processing of files from network shares or storage systems
The vulnerability manifests in the PAM image parsing routine during buffer size calculation. For detailed technical analysis, refer to the CERT Vulnerability Advisory.
Detection Methods for CVE-2026-5444
Indicators of Compromise
- Unexpected crashes or service restarts of the Orthanc DICOM server process
- Memory corruption errors or segmentation faults in Orthanc logs
- Unusual DICOM files with abnormally large image dimension values in headers
- Evidence of heap spray techniques or unusual memory allocation patterns
Detection Strategies
- Monitor Orthanc server logs for crashes, memory errors, or abnormal terminations during DICOM file processing
- Implement network monitoring to detect DICOM files with suspicious PAM image dimension parameters
- Deploy endpoint detection to identify exploitation attempts targeting heap corruption vulnerabilities
- Use file integrity monitoring on DICOM storage directories to detect malicious file uploads
Monitoring Recommendations
- Enable verbose logging on Orthanc servers to capture detailed processing information
- Configure alerting for abnormal process behavior including unexpected restarts or high memory consumption
- Monitor network traffic for DICOM C-STORE operations from untrusted sources
- Implement SIEM rules to correlate Orthanc service crashes with recent file processing events
How to Mitigate CVE-2026-5444
Immediate Actions Required
- Review the CERT Vulnerability Advisory for updated patch information from the vendor
- Restrict network access to Orthanc servers to trusted imaging devices and workstations only
- Implement input validation at the network perimeter to filter DICOM files with abnormal dimension parameters
- Consider temporarily disabling PAM image support if not required for operations
Patch Information
Consult the Orthanc Server Information page for official security updates and patched versions. Organizations should prioritize applying vendor-supplied patches as soon as they become available. Monitor the CERT Vulnerability Advisory for updated remediation guidance.
Workarounds
- Implement network segmentation to isolate Orthanc servers from untrusted networks
- Configure firewall rules to restrict DICOM protocol access to authorized imaging equipment only
- Enable authentication and access controls on the Orthanc REST API to prevent unauthorized file uploads
- Deploy a DICOM proxy or gateway that validates image dimensions before forwarding to Orthanc
# Configuration example
# Example: Restrict Orthanc REST API access via firewall (iptables)
# Allow DICOM port 4242 only from trusted imaging subnet
iptables -A INPUT -p tcp --dport 4242 -s 10.10.50.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 4242 -j DROP
# Restrict HTTP API port 8042 to management network
iptables -A INPUT -p tcp --dport 8042 -s 10.10.100.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8042 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
