CVE-2026-5440
Published: 09 April 2026
Summary
CVE-2026-5440 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Orthanc-Server Orthanc. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 16.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
A memory exhaustion vulnerability tracked as CVE-2026-5440 affects the HTTP server component and stems from unbounded processing of the Content-Length header. The server allocates memory directly from the attacker-supplied header value without any upper bound, allowing a single crafted request to trigger excessive allocation and process termination even when no request body is sent. The flaw is assigned CWE-770 and carries a CVSS 3.1 score of 7.5.
An unauthenticated remote attacker can exploit the issue by sending a single HTTP request containing an extremely large Content-Length value. Because the attack requires no authentication, user interaction, or delivery of a body, it can be launched from anywhere on the network and results in denial of service through server termination.
The provided references point to further details hosted by CERT, Machine Spirits, and the Orthanc project, but contain no explicit mitigation statements in the supplied data. EPSS remains flat at 0.0189 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20917
Vulnerability details
A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an…
more
extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables direct exploitation of HTTP server via crafted request to exhaust memory and crash the service, matching Application or System Exploitation for Endpoint Denial of Service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-5 Denial-of-service Protection directly limits the effects of memory exhaustion DoS attacks from crafted HTTP requests with oversized Content-Length headers.
SI-10 Information Input Validation checks and bounds attacker-supplied values in HTTP headers like Content-Length to prevent excessive memory allocation.
SC-6 Resource Availability protects memory and other resources from depletion caused by unbounded allocation based on unvalidated HTTP header values.