Cyber Resilience

CVE-2026-5439

HighDDoS

Published: 09 April 2026

Published
09 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 19.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5439 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Orthanc-Server Orthanc. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-5439 is a memory exhaustion vulnerability in the ZIP archive processing functionality of Orthanc. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-770: Allocation of Resources Without Limits or Throttling.

The vulnerability can be exploited remotely by any unauthenticated attacker with network access to an affected Orthanc instance, requiring low complexity and no user interaction. By uploading a specially crafted ZIP archive to the vulnerable endpoints, the attacker triggers excessive memory allocation during extraction, leading to denial of service through resource exhaustion.

Mitigation details and patches are documented in advisories from CERT at https://kb.cert.org/vuls/id/536588, the Orthanc project site at https://www.orthanc-server.com/, and https://www.machinespirits.de/. Security practitioners should consult these sources for update instructions and workarounds.

EU & UK References

Vulnerability details

A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged…

more

size value, causing the server to allocate extremely large buffers during extraction.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability in public-facing Orthanc ZIP endpoints enables remote unauthenticated exploitation (T1190) via crafted input causing memory exhaustion DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-5438Same product: Orthanc-Server Orthanc
CVE-2026-5440Same product: Orthanc-Server Orthanc
CVE-2026-5437Same product: Orthanc-Server Orthanc
CVE-2025-0896Same product: Orthanc-Server Orthanc
CVE-2026-5445Same product: Orthanc-Server Orthanc
CVE-2026-5442Same product: Orthanc-Server Orthanc
CVE-2026-5444Same product: Orthanc-Server Orthanc
CVE-2026-5443Same product: Orthanc-Server Orthanc
CVE-2026-5441Same product: Orthanc-Server Orthanc
CVE-2026-40395Shared CWE-770

Affected Assets

orthanc-server
orthanc
≤ 1.12.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-5 directly protects against denial-of-service events like memory exhaustion from crafted ZIP archives by limiting effects of resource depletion attacks.

prevent

SC-6 mandates monitoring and controlling allocation of resources such as memory to prevent excessive buffer allocation based on forged ZIP metadata.

prevent

SI-10 requires validation of information inputs like ZIP uncompressed size metadata to reject forged values that trigger large allocations.

References