CVE-2026-5438 | THREATINT

Description

A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.

PUBLISHED Reserved 2026-04-02 | Published 2026-04-09 | Updated 2026-04-14 | Assigner certcc

Problem types

CWE-770 Allocation of Resources Without Limits or Throttling

Product status

Any version

affected

References

www.orthanc-server.com/

www.machinespirits.de/

kb.cert.org/vuls/id/536588

cve.org (CVE-2026-5438)

nvd.nist.gov (CVE-2026-5438)

Download JSON