CVE-2026-5441

EUVD-2026-20918

09.04.2026, 15:16

An out-of-bounds read vulnerability exists in the `DecodePsmctRle1` function of `DicomImageDecoder.cpp`. The `PMSCT_RLE1` decompression routine, which decodes the proprietary Philips Compression format, does not properly validate escape markers placed near the end of the compressed data stream. A crafted sequence at the end of the buffer can cause the decoder to read beyond the allocated memory region and leak heap data into the rendered image output.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.1 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Affected Products (NVD)

Vendor	Product	Version
orthanc-server	orthanc	𝑥 < 1.12.11

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

orthanc

bookworm	no-dsa
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	1.12.11+dfsg-7 fixed
sid	1.12.11+dfsg-7 fixed
trixie	no-dsa

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

References

https://kb.cert.org/vuls/id/536588

https://www.machinespirits.de/

https://www.orthanc-server.com/