CVE-2026-5440: CWE-770 Allocation of Resources Without Limits or Throttling in Orthanc DICOM Server
A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-5440) involves the Orthanc DICOM Server allocating memory directly according to the attacker-supplied Content-Length HTTP header without enforcing any upper limit. This lack of throttling or limits on resource allocation (CWE-770) can lead to memory exhaustion and server termination when processing maliciously crafted HTTP requests. The vulnerability has a CVSS 3.1 base score of 7.5, indicating high severity due to network attack vector, no privileges required, no user interaction, and impact limited to availability (denial of service). The vendor advisory from CERT does not specify any patch or mitigation status.
Potential Impact
The vulnerability allows an unauthenticated remote attacker to cause a denial of service by exhausting server memory resources, resulting in server termination. There is no impact on confidentiality or integrity reported. This can disrupt availability of the Orthanc DICOM Server, affecting dependent medical imaging workflows.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://kb.cert.org/vuls/id/536588 for current remediation guidance. Until an official fix is available, consider implementing network-level protections such as limiting request sizes or employing web application firewalls to detect and block suspiciously large Content-Length headers. Monitor for updates from the Orthanc project or CERT advisory for official patches or mitigations.
CVE-2026-5440: CWE-770 Allocation of Resources Without Limits or Throttling in Orthanc DICOM Server
Description
A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-5440) involves the Orthanc DICOM Server allocating memory directly according to the attacker-supplied Content-Length HTTP header without enforcing any upper limit. This lack of throttling or limits on resource allocation (CWE-770) can lead to memory exhaustion and server termination when processing maliciously crafted HTTP requests. The vulnerability has a CVSS 3.1 base score of 7.5, indicating high severity due to network attack vector, no privileges required, no user interaction, and impact limited to availability (denial of service). The vendor advisory from CERT does not specify any patch or mitigation status.
Potential Impact
The vulnerability allows an unauthenticated remote attacker to cause a denial of service by exhausting server memory resources, resulting in server termination. There is no impact on confidentiality or integrity reported. This can disrupt availability of the Orthanc DICOM Server, affecting dependent medical imaging workflows.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://kb.cert.org/vuls/id/536588 for current remediation guidance. Until an official fix is available, consider implementing network-level protections such as limiting request sizes or employing web application firewalls to detect and block suspiciously large Content-Length headers. Monitor for updates from the Orthanc project or CERT advisory for official patches or mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- certcc
- Date Reserved
- 2026-04-02T19:22:26.410Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://kb.cert.org/vuls/id/536588","vendor":"CERT"}]
Threat ID: 69d7bcce1cc7ad14dad7b6eb
Added to database: 4/9/2026, 2:50:54 PM
Last enriched: 4/17/2026, 11:40:58 AM
Last updated: 5/25/2026, 12:21:48 PM
Views: 76
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.