CVE-2026-5438: CWE-770 Allocation of Resources Without Limits or Throttling in Orthanc DICOM Server
A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.
AI Analysis
Technical Summary
The Orthanc DICOM Server is vulnerable to a resource exhaustion attack due to improper handling of gzip-compressed HTTP requests. Specifically, the server does not limit the size of decompressed data, leading to uncontrolled memory allocation based on attacker-controlled compression metadata. This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The absence of decompression size limits can cause the server to consume excessive memory, potentially leading to denial of service conditions.
Potential Impact
An attacker can cause the Orthanc DICOM Server to allocate excessive memory by sending a malicious gzip-compressed HTTP request. This can exhaust system memory resources, potentially resulting in denial of service or server instability. There is no indication that this vulnerability allows code execution or data compromise beyond resource exhaustion.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://kb.cert.org/vuls/id/536588 for current remediation guidance. Until an official fix is available, consider implementing external protections such as limiting request sizes or deploying network-level controls to detect and block suspicious gzip payloads. Avoid exposing the vulnerable service to untrusted networks where possible.
CVE-2026-5438: CWE-770 Allocation of Resources Without Limits or Throttling in Orthanc DICOM Server
Description
A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Orthanc DICOM Server is vulnerable to a resource exhaustion attack due to improper handling of gzip-compressed HTTP requests. Specifically, the server does not limit the size of decompressed data, leading to uncontrolled memory allocation based on attacker-controlled compression metadata. This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The absence of decompression size limits can cause the server to consume excessive memory, potentially leading to denial of service conditions.
Potential Impact
An attacker can cause the Orthanc DICOM Server to allocate excessive memory by sending a malicious gzip-compressed HTTP request. This can exhaust system memory resources, potentially resulting in denial of service or server instability. There is no indication that this vulnerability allows code execution or data compromise beyond resource exhaustion.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://kb.cert.org/vuls/id/536588 for current remediation guidance. Until an official fix is available, consider implementing external protections such as limiting request sizes or deploying network-level controls to detect and block suspicious gzip payloads. Avoid exposing the vulnerable service to untrusted networks where possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- certcc
- Date Reserved
- 2026-04-02T19:21:58.543Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://kb.cert.org/vuls/id/536588","vendor":"CERT"}]
Threat ID: 69d7bcce1cc7ad14dad7b6df
Added to database: 4/9/2026, 2:50:54 PM
Last enriched: 4/9/2026, 3:06:26 PM
Last updated: 4/10/2026, 8:17:14 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.