CVE-2026-5441
Published: 09 April 2026
Summary
CVE-2026-5441 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Orthanc-Server Orthanc. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the out-of-bounds read vulnerability by applying vendor patches for the DecodePsmctRle1 function as referenced in advisories.
Enforces validation of escape markers and compressed data streams in the PMSCT_RLE1 decompression routine to prevent reads beyond allocated memory.
Ensures error conditions during DICOM image decoding do not leak heap data into rendered output or cause availability impacts like crashes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The out-of-bounds read is triggered when a user opens a specially crafted DICOM file (T1204.002 Malicious File), leaking heap data from the local system into the rendered output (T1005 Data from Local System).
NVD Description
An out-of-bounds read vulnerability exists in the `DecodePsmctRle1` function of `DicomImageDecoder.cpp`. The `PMSCT_RLE1` decompression routine, which decodes the proprietary Philips Compression format, does not properly validate escape markers placed near the end of the compressed data stream. A crafted sequence…
more
at the end of the buffer can cause the decoder to read beyond the allocated memory region and leak heap data into the rendered image output.
Deeper analysisAI
CVE-2026-5441 is an out-of-bounds read vulnerability in the `DecodePsmctRle1` function of `DicomImageDecoder.cpp`. It affects the `PMSCT_RLE1` decompression routine, which handles the proprietary Philips Compression format in DICOM images. The issue arises because the decoder does not properly validate escape markers near the end of the compressed data stream, enabling a crafted sequence to trigger reads beyond the allocated memory buffer and leak heap data into the rendered image output. Published on 2026-04-09, it carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H) and maps to CWE-125.
Exploitation requires local access with low complexity and no privileges, but depends on user interaction, such as opening a malicious DICOM file in an affected application. An unprivileged attacker could trick a user into processing a specially crafted image, achieving high confidentiality impact through heap memory disclosure visible in the output image and high availability impact, potentially via application crash or denial of service.
Advisories with mitigation guidance, including patches, are available from CERT at https://kb.cert.org/vuls/id/536588, Machine Spirits at https://www.machinespirits.de/, and Orthanc at https://www.orthanc-server.com/.
Details
- CWE(s)