CVE-2026-5441

HIGH

Out-of-Bounds Read in DicomImageDecoder (PMSCT_RLE1 Decompression)

Title source: cna

Description

An out-of-bounds read vulnerability exists in the `DecodePsmctRle1` function of `DicomImageDecoder.cpp`. The `PMSCT_RLE1` decompression routine, which decodes the proprietary Philips Compression format, does not properly validate escape markers placed near the end of the compressed data stream. A crafted sequence at the end of the buffer can cause the decoder to read beyond the allocated memory region and leak heap data into the rendered image output.

References (3)

https://www.orthanc-server.com/

https://www.machinespirits.de/

https://kb.cert.org/vuls/id/536588

Scores

CVSS v3 7.1

EPSS 0.0001

EPSS Percentile 2.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-125

Status published

Products (2)

Orthanc/DICOM Server < 1.12.10

orthanc-server/orthanc < 1.12.11

Published Apr 09, 2026

Tracked Since Apr 09, 2026