CVE-2026-5440
Published: 09 April 2026
Summary
CVE-2026-5440 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Orthanc-Server Orthanc. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 17.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-5 Denial-of-service Protection directly limits the effects of memory exhaustion DoS attacks from crafted HTTP requests with oversized Content-Length headers.
SI-10 Information Input Validation checks and bounds attacker-supplied values in HTTP headers like Content-Length to prevent excessive memory allocation.
SC-6 Resource Availability protects memory and other resources from depletion caused by unbounded allocation based on unvalidated HTTP header values.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables direct exploitation of HTTP server via crafted request to exhaust memory and crash the service, matching Application or System Exploitation for Endpoint Denial of Service.
NVD Description
A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an…
more
extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.
Deeper analysisAI
CVE-2026-5440 is a memory exhaustion vulnerability in the HTTP server component, stemming from unbounded use of the Content-Length header. The server allocates memory directly based on the attacker-supplied header value without enforcing an upper limit. A crafted HTTP request with an extremely large Content-Length value triggers excessive memory allocation and server termination, even without sending a request body. Published on 2026-04-09, it carries a CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-770.
Any unauthenticated attacker with network access to the server can exploit this vulnerability. By sending a single crafted HTTP request containing an oversized Content-Length header, the attacker induces massive memory allocation, causing the server to crash and resulting in a denial-of-service condition.
Advisories and mitigation guidance are available in references including CERT KB at https://kb.cert.org/vuls/id/536588, https://www.machinespirits.de/, and https://www.orthanc-server.com/.
Details
- CWE(s)