CVE-2026-5439
Last modified
CVE-2026-5439 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. EPSS estimates a 0.43% chance of exploitation in the next 30 days.
Description
A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Orthanc-Server | Orthanc | < 1.12.11 |
References
- https://kb.cert.org/vuls/id/536588Third Party Advisory, VDB Entry
- https://www.machinespirits.de/Not Applicable
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-5439?
How severe is CVE-2026-5439?
How do I fix CVE-2026-5439?
Are you affected by CVE-2026-5439?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST