CVE-2026-5437

High

Published: 09 April 2026

Published

09 April 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0005 16.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5437 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Orthanc-Server Orthanc. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the insufficient input validation in DicomStreamReader by requiring validation of DICOM metadata inputs at system entry points to prevent out-of-bounds reads from malformed structures.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of the specific out-of-bounds read flaw in DICOM meta-header parsing to eliminate the vulnerability.

SI-16 Memory Protection partial match

prevent

Implements memory safeguards that mitigate the impact of out-of-bounds reads during DICOM parsing, reducing potential denial-of-service effects.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Remote out-of-bounds read in public-facing Orthanc DICOM server triggered by crafted network data enables exploitation of public-facing applications (T1190) resulting in endpoint denial of service via application exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An out-of-bounds read vulnerability exists in `DicomStreamReader` during DICOM meta-header parsing. When processing malformed metadata structures, the parser may read beyond the bounds of the allocated metadata buffer. Although this issue does not typically crash the server or expose data…

directly to the attacker, it reflects insufficient input validation in the parsing logic.

Deeper analysisAI

CVE-2026-5437, published on 2026-04-09, is an out-of-bounds read vulnerability (CWE-125) in the DicomStreamReader component during DICOM meta-header parsing. The issue arises when processing malformed metadata structures, causing the parser to read beyond the bounds of the allocated metadata buffer due to insufficient input validation. This affects DICOM processing software such as Orthanc-server, as indicated by vendor references.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction (CVSS:3.1 score of 7.5; AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By sending crafted DICOM data with malformed metadata, an unauthenticated attacker can trigger the out-of-bounds read, resulting in high availability impact, such as potential denial of service, though the issue does not typically crash the server or directly expose data.

Mitigation details are available in related advisories, including the CERT vulnerability note at https://kb.cert.org/vuls/id/536588, as well as vendor resources at https://www.machinespirits.de/ and https://www.orthanc-server.com/.

Details

CWE(s): CWE-125

Affected Products

orthanc-server

orthanc

≤ 1.12.11

CVEs Like This One

CVE-2026-5445Same product: Orthanc-Server Orthanc

CVE-2026-5441Same product: Orthanc-Server Orthanc

CVE-2026-5439Same product: Orthanc-Server Orthanc

CVE-2026-5442Same product: Orthanc-Server Orthanc

CVE-2025-0896Same product: Orthanc-Server Orthanc

CVE-2026-5440Same product: Orthanc-Server Orthanc

CVE-2026-5438Same product: Orthanc-Server Orthanc

CVE-2026-5443Same product: Orthanc-Server Orthanc

CVE-2026-5444Same product: Orthanc-Server Orthanc

CVE-2026-3622Shared CWE-125

References

https://kb.cert.org/vuls/id/536588
Third Party Advisory, VDB Entry · cret@cert.org
https://www.machinespirits.de/
Not Applicable · cret@cert.org
https://www.orthanc-server.com/
Product · cret@cert.org