CVE-2026-5439
Published: 09 April 2026
Summary
CVE-2026-5439 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Orthanc-Server Orthanc. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-5 directly protects against denial-of-service events like memory exhaustion from crafted ZIP archives by limiting effects of resource depletion attacks.
SC-6 mandates monitoring and controlling allocation of resources such as memory to prevent excessive buffer allocation based on forged ZIP metadata.
SI-10 requires validation of information inputs like ZIP uncompressed size metadata to reject forged values that trigger large allocations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Orthanc ZIP endpoints enables remote unauthenticated exploitation (T1190) via crafted input causing memory exhaustion DoS (T1499.004).
NVD Description
A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged…
more
size value, causing the server to allocate extremely large buffers during extraction.
Deeper analysisAI
CVE-2026-5439 is a memory exhaustion vulnerability in the ZIP archive processing functionality of Orthanc. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-770: Allocation of Resources Without Limits or Throttling.
The vulnerability can be exploited remotely by any unauthenticated attacker with network access to an affected Orthanc instance, requiring low complexity and no user interaction. By uploading a specially crafted ZIP archive to the vulnerable endpoints, the attacker triggers excessive memory allocation during extraction, leading to denial of service through resource exhaustion.
Mitigation details and patches are documented in advisories from CERT at https://kb.cert.org/vuls/id/536588, the Orthanc project site at https://www.orthanc-server.com/, and https://www.machinespirits.de/. Security practitioners should consult these sources for update instructions and workarounds.
Details
- CWE(s)