CVE-2026-5440

HIGH

Memory Exhaustion via Unbounded Content-Length

Title source: cna

Description

A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.

References (3)

https://www.orthanc-server.com/

https://www.machinespirits.de/

https://kb.cert.org/vuls/id/536588

Scores

CVSS v3 7.5

EPSS 0.0164

EPSS Percentile 82.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (2)

Orthanc/DICOM Server < 1.12.10

orthanc-server/orthanc < 1.12.11

Published Apr 09, 2026

Tracked Since Apr 09, 2026