CVE-2026-5439

Memory Exhaustion via Forged ZIP Metadata

CVSS 7.5 HIGHEPSS 0.4%

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.5EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

09 Apr 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Orthanc · DICOM Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://kb.cert.org/vuls/id/536588 https://www.machinespirits.de/https://www.orthanc-server.com/