CVE-2026-5439

Memory Exhaustion via Forged ZIP Metadata

CVSS 7.5 HIGHEPSS 0.4%

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 7.5EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

09 abr 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Productos afectados

Orthanc · DICOM Server

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://kb.cert.org/vuls/id/536588 https://www.machinespirits.de/https://www.orthanc-server.com/