Cyber Resilience

CVE-2026-5440

HighDDoS

Published: 09 April 2026

Published
09 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0189 83.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5440 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Orthanc-Server Orthanc. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 16.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

A memory exhaustion vulnerability tracked as CVE-2026-5440 affects the HTTP server component and stems from unbounded processing of the Content-Length header. The server allocates memory directly from the attacker-supplied header value without any upper bound, allowing a single crafted request to trigger excessive allocation and process termination even when no request body is sent. The flaw is assigned CWE-770 and carries a CVSS 3.1 score of 7.5.

An unauthenticated remote attacker can exploit the issue by sending a single HTTP request containing an extremely large Content-Length value. Because the attack requires no authentication, user interaction, or delivery of a body, it can be launched from anywhere on the network and results in denial of service through server termination.

The provided references point to further details hosted by CERT, Machine Spirits, and the Orthanc project, but contain no explicit mitigation statements in the supplied data. EPSS remains flat at 0.0189 with no material increase after disclosure.

EU & UK References

Vulnerability details

A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an…

more

extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables direct exploitation of HTTP server via crafted request to exhaust memory and crash the service, matching Application or System Exploitation for Endpoint Denial of Service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-5438Same product: Orthanc-Server Orthanc
CVE-2026-5439Same product: Orthanc-Server Orthanc
CVE-2026-5437Same product: Orthanc-Server Orthanc
CVE-2026-5444Same product: Orthanc-Server Orthanc
CVE-2025-0896Same product: Orthanc-Server Orthanc
CVE-2026-5445Same product: Orthanc-Server Orthanc
CVE-2026-5441Same product: Orthanc-Server Orthanc
CVE-2026-5442Same product: Orthanc-Server Orthanc
CVE-2026-5443Same product: Orthanc-Server Orthanc
CVE-2021-47877Shared CWE-770

Affected Assets

orthanc-server
orthanc
≤ 1.12.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-5 Denial-of-service Protection directly limits the effects of memory exhaustion DoS attacks from crafted HTTP requests with oversized Content-Length headers.

prevent

SI-10 Information Input Validation checks and bounds attacker-supplied values in HTTP headers like Content-Length to prevent excessive memory allocation.

prevent

SC-6 Resource Availability protects memory and other resources from depletion caused by unbounded allocation based on unvalidated HTTP header values.

References