CVE-2026-5443

CRITICAL

Heap Buffer Overflow in DICOM Image Decoder (Palette Color Decode)

Title source: cna

Description

A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images. Pixel length validation uses 32-bit multiplication for width and height calculations. If these values overflow, the validation check incorrectly succeeds, allowing the decoder to read and write to memory beyond allocated buffers.

References (3)

https://www.orthanc-server.com/

https://www.machinespirits.de/

https://kb.cert.org/vuls/id/536588

Scores

CVSS v3 9.8

EPSS 0.0006

EPSS Percentile 19.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-787

Status published

Products (2)

Orthanc/DICOM Server < 1.12.10

orthanc-server/orthanc < 1.12.11

Published Apr 09, 2026

Tracked Since Apr 09, 2026