CVE-2026-5439

EUVD-2026-20916
A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 18%
Affected Products (NVD)
VendorProductVersion
orthanc-serverorthanc
𝑥
< 1.12.11
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
orthanc
bookworm
no-dsa
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
1.12.11+dfsg-7
fixed
sid
1.12.11+dfsg-7
fixed
trixie
no-dsa
Common Weakness Enumeration
References
https://kb.cert.org/vuls/id/536588
https://www.machinespirits.de/
https://www.orthanc-server.com/