CVE-2026-5440 | THREATINT

Description

A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.

PUBLISHED Reserved 2026-04-02 | Published 2026-04-09 | Updated 2026-04-14 | Assigner certcc

Problem types

CWE-770 Allocation of Resources Without Limits or Throttling

Product status

Any version

affected

References

www.orthanc-server.com/

www.machinespirits.de/

kb.cert.org/vuls/id/536588

cve.org (CVE-2026-5440)

nvd.nist.gov (CVE-2026-5440)

Download JSON