CVE-2026-5445
Published: 09 April 2026
Summary
CVE-2026-5445 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Orthanc-Server Orthanc. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of pixel indices against the lookup table size in PALETTE COLOR DICOM images to directly prevent out-of-bounds memory reads.
Implements memory protection mechanisms such as boundary protection to comprehensively mitigate out-of-bounds reads and heap content exposure in the DICOM decoder.
Mandates timely identification, reporting, and correction of the specific out-of-bounds read flaw in DecodeLookupTable, eliminating the vulnerability through patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated remote out-of-bounds read in the public-facing Orthanc DICOM server, directly enabling exploitation of a public-facing application via crafted image submission over the network.
NVD Description
An out-of-bounds read vulnerability exists in the `DecodeLookupTable` function within `DicomImageDecoder.cpp`. The lookup-table decoding logic used for `PALETTE COLOR` images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size cause…
more
the decoder to read beyond allocated lookup table memory and expose heap contents in the output image.
Deeper analysisAI
CVE-2026-5445 is an out-of-bounds read vulnerability (CWE-125) in the DecodeLookupTable function within DicomImageDecoder.cpp, part of DICOM image processing software such as Orthanc server. The issue arises in the lookup-table decoding logic for PALETTE COLOR images, where pixel indices are not validated against the lookup table size. Processing crafted images with indices exceeding the palette size results in reads beyond allocated lookup table memory, exposing heap contents in the output image. Published on 2026-04-09, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By supplying a malicious PALETTE COLOR DICOM image containing oversized pixel indices, an attacker can trigger the out-of-bounds read, leaking sensitive heap data embedded in the processed output image while also potentially causing denial of service through application crashes due to memory corruption.
For mitigation details, refer to advisories including CERT/CC vulnerability note VU#536588 at https://kb.cert.org/vuls/id/536588, the Orthanc server site at https://www.orthanc-server.com/, and https://www.machinespirits.de/.
Details
- CWE(s)