CVE-2026-5437

EUVD-2026-20913
An out-of-bounds read vulnerability exists in `DicomStreamReader` during DICOM meta-header parsing. When processing malformed metadata structures, the parser may read beyond the bounds of the allocated metadata buffer. Although this issue does not typically crash the server or expose data directly to the attacker, it reflects insufficient input validation in the parsing logic.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 17%
Affected Products (NVD)
VendorProductVersion
orthanc-serverorthanc
𝑥
< 1.12.11
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
orthanc
bookworm
no-dsa
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
1.12.11+dfsg-7
fixed
sid
1.12.11+dfsg-7
fixed
trixie
no-dsa
Common Weakness Enumeration
References
https://kb.cert.org/vuls/id/536588
https://www.machinespirits.de/
https://www.orthanc-server.com/