CVE-2026-5445 Overview
An out-of-bounds read vulnerability exists in the DecodeLookupTable function within DicomImageDecoder.cpp. The lookup-table decoding logic used for PALETTE COLOR images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size cause the decoder to read beyond allocated lookup table memory and expose heap contents in the output image.
Critical Impact
Attackers can craft malicious DICOM images to trigger out-of-bounds memory reads, potentially exposing sensitive heap data including protected health information (PHI) or credentials stored in memory.
Affected Products
- Orthanc Server (DICOM image processing components)
- Applications using the affected DicomImageDecoder.cpp component
- Medical imaging systems processing PALETTE COLOR DICOM images
Discovery Timeline
- 2026-04-09 - CVE CVE-2026-5445 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-5445
Vulnerability Analysis
This out-of-bounds read vulnerability stems from insufficient bounds checking in the DICOM image decoder's palette color processing routine. The DecodeLookupTable function processes pixel index values from incoming DICOM images and uses these indices to retrieve color values from a pre-allocated lookup table. However, the function fails to validate that pixel indices fall within the valid range of the lookup table's allocated memory.
When processing a maliciously crafted DICOM image containing pixel index values that exceed the palette size, the decoder attempts to read memory locations beyond the allocated lookup table buffer. This results in heap memory contents being incorporated into the decoded output image, effectively creating an information disclosure channel.
The vulnerability is particularly concerning in medical imaging environments where DICOM servers process images from potentially untrusted sources, such as external healthcare facilities or patient-uploaded imaging data.
Root Cause
The root cause of this vulnerability is the absence of input validation on pixel index values before they are used to index into the color lookup table. The DecodeLookupTable function assumes that all pixel indices in the DICOM image will be within the bounds of the palette size, but this assumption is not enforced programmatically.
Specifically, when a PALETTE COLOR DICOM image specifies a lookup table of size N, any pixel index value should be validated to ensure it falls within the range [0, N-1]. Without this validation, an attacker can supply index values greater than or equal to N, causing the decoder to read from unintended memory locations on the heap.
Attack Vector
The attack vector involves supplying a specially crafted DICOM image file to a vulnerable application or server. The attack proceeds as follows:
- The attacker creates a DICOM image with PALETTE COLOR photometric interpretation
- The image's lookup table is defined with a specific size (e.g., 256 entries)
- Pixel data within the image contains index values that exceed the lookup table size
- When the vulnerable decoder processes this image, it reads beyond the lookup table bounds
- Heap memory contents are written into the output image as color data
- The attacker retrieves the processed image to extract leaked memory contents
This attack can be executed remotely by uploading malicious DICOM files to medical imaging servers or by sending them through DICOM network protocols (such as C-STORE operations).
The vulnerability mechanism exploits the lack of bounds validation in the palette lookup process. When pixel indices exceed the palette size, the decoder reads arbitrary heap memory, which may contain sensitive data such as session tokens, patient information, or internal system data. For detailed technical information, refer to the CERT Vulnerability Advisory #536588.
Detection Methods for CVE-2026-5445
Indicators of Compromise
- DICOM images with unusually large pixel index values in PALETTE COLOR encoded files
- Abnormal memory access patterns or segmentation faults in DICOM processing services
- Output images containing noise patterns inconsistent with normal medical imaging artifacts
- Unexpected data patterns in rendered DICOM palette color images
Detection Strategies
- Monitor DICOM processing services for abnormal memory read patterns or access violations
- Implement input validation rules to detect DICOM files with pixel indices exceeding declared palette sizes
- Deploy application-level monitoring to detect heap memory exposure in image processing pipelines
- Use SentinelOne's behavioral AI to detect anomalous memory access patterns in medical imaging applications
Monitoring Recommendations
- Enable verbose logging on DICOM servers to capture details of processed image metadata including palette sizes
- Configure alerts for memory access violations or unexpected crashes in image decoder processes
- Monitor network traffic for unusual DICOM file uploads or C-STORE operations from untrusted sources
- Implement file integrity monitoring on DICOM storage directories to detect potential attack artifacts
How to Mitigate CVE-2026-5445
Immediate Actions Required
- Review and audit all deployments using the affected DicomImageDecoder.cpp component
- Implement network segmentation to restrict DICOM server access to trusted sources only
- Enable additional logging and monitoring on DICOM processing infrastructure
- Consider temporarily disabling PALETTE COLOR image processing if operationally feasible
Patch Information
Organizations should monitor the Orthanc Server Official Site for security updates addressing this vulnerability. Review the CERT Vulnerability Advisory #536588 for the latest remediation guidance. Until a patch is available, implement the workarounds listed below to reduce exposure.
Workarounds
- Implement input validation to verify pixel indices do not exceed the declared palette table size before processing
- Restrict DICOM image uploads to authenticated and trusted sources only
- Deploy Web Application Firewalls (WAF) or DICOM-aware proxies to filter potentially malicious image files
- Use memory-safe processing environments or sandboxing for DICOM image decoding operations
Until an official patch is released, administrators should implement bounds checking at the application layer. A defensive validation approach should verify that all pixel index values fall within the range [0, paletteSize-1] before lookup table access. Contact your medical imaging software vendor for specific guidance on implementing these mitigations in your environment.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
