{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5440", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-04-02T19:22:26.410Z", "datePublished": "2026-04-09T14:43:55.684Z", "dateUpdated": "2026-04-09T14:43:55.684Z"}, "containers": {"cna": {"title": "Memory Exhaustion via Unbounded Content-Length", "descriptions": [{"lang": "en", "value": "A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Orthanc", "product": "DICOM Server", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.12.10", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "references": [{"url": "https://www.orthanc-server.com/"}, {"url": "https://www.machinespirits.de/"}, {"url": "https://kb.cert.org/vuls/id/536588"}], "x_generator": {"engine": "VINCE 3.0.35", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5440"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-09T14:43:55.684Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body."}], "id": "CVE-2026-5440", "lastModified": "2026-04-09T15:16:16.337", "metrics": {}, "published": "2026-04-09T15:16:16.337", "references": [{"source": "cret@cert.org", "url": "https://kb.cert.org/vuls/id/536588"}, {"source": "cret@cert.org", "url": "https://www.machinespirits.de/"}, {"source": "cret@cert.org", "url": "https://www.orthanc-server.com/"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.12.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "DICOM Server", "source": "cna", "vendor": "Orthanc"}, "product": "dicom_server", "vendor": "orthanc"}], "analysis": {"en": {"generated_at": "2026-04-09T16:23:53.624240+00:00", "value": {"mitigation_remediation": ["Apply the latest Orthanc Server update if a patch is released by the vendor.", "Configure a reverse proxy or load balancer to reject or truncate requests with Content-Length values beyond a safe threshold.", "If the server configuration provides a maximum request size setting, enable or increase it to a reasonable limit.", "Continuously monitor server memory usage and restart the service gracefully if high consumption is detected."], "summary": {"action": "Assess Impact", "impact": "Denial of Service via Memory Exhaustion"}, "threat_synthesis": {"affected_systems": "The Orthanc DICOM Server is the affected product. No specific version range is listed in the CNA data, so the vulnerability may apply to any unsupported or older releases of Orthanc that still use the default HTTP server handling. Users should verify their installed version against Orthanc release notes for any mention of this issue.", "description_and_impact": "A request handling flaw in the Orthanc DICOM Server\u2019s HTTP component allows an adversary to set an arbitrarily large Content-Length header. The server allocates memory proportional to the header value without any cap, meaning that a crafted request can cause excessive memory consumption and terminate the server even if the request body is omitted. The consequence is a loss of availability; the server becomes unresponsive and must be restarted, but no data is directly disclosed or corrupted.", "risk_and_exploitability": "The Common Vulnerability Scoring System score is not provided, and EPSS data is unavailable, so exact numerical risk cannot be calculated from the source. The issue is not listed in the CISA KEV catalog, indicating no known widespread exploitation. Nevertheless, the lack of bounds on memory allocation makes the vulnerability highly exploitable; an attacker merely needs to send a single HTTP request with a large Content-Length, a technique that can be automated or performed manually. Because the flaw leads to denial of service, it poses a significant operational threat to any system hosting Orthanc and exposing the HTTP interface."}}}}, "created": "2026-04-10T08:53:24.693619+00:00", "updated": "2026-04-10T09:32:37.290058+00:00", "vendors": ["orthanc", "orthanc$PRODUCT$dicom_server"], "weaknesses": ["CWE-789", "CWE-400"]}