CVE-2026-5438
Published: 09 April 2026
Summary
CVE-2026-5438 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Orthanc-Server Orthanc. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates protections against denial-of-service attacks, including memory exhaustion from specially crafted gzip decompression bombs in HTTP requests.
Ensures the availability of critical system resources like memory by protecting against exhaustion triggered by attacker-controlled compression metadata.
Requires validation of information inputs such as gzip-encoded HTTP payloads to detect and reject those leading to excessive decompression and memory allocation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote vulnerability in a public-facing application (Orthanc) that can be directly exploited via a crafted HTTP request to cause memory exhaustion and denial of service, mapping to Application or System Exploitation.
NVD Description
A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory…
more
allocation and exhaust system memory.
Deeper analysisAI
CVE-2026-5438 is a gzip decompression bomb vulnerability in Orthanc, an open-source medical imaging server. The issue arises when Orthanc processes HTTP requests with a Content-Encoding: gzip header. The server does not enforce limits on the decompressed payload size and allocates memory based on attacker-controlled compression metadata in the gzip file. A specially crafted gzip payload can trigger excessive memory allocation, leading to system memory exhaustion.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its availability impact. Remote attackers require only network access to the Orthanc server, with low attack complexity, no privileges, and no user interaction needed. By sending a malicious gzip-encoded HTTP request, attackers can cause denial-of-service through resource exhaustion (CWE-770), without affecting confidentiality or integrity.
Mitigation details are available in related advisories, including CERT Coordination Center vulnerability note at https://kb.cert.org/vuls/id/536588, as well as sites https://www.machinespirits.de/ and https://www.orthanc-server.com/.
Details
- CWE(s)