CVE-2026-5438

NameCVE-2026-5438
DescriptionA gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1133182

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
orthanc (PTS)bullseye1.9.2+really1.9.1+dfsg-1+deb11u1vulnerable
bullseye (security)1.9.2+really1.9.1+dfsg-1+deb11u2vulnerable
bookworm, bookworm (security)1.10.1+dfsg-2+deb12u1vulnerable
trixie1.12.7+dfsg-4vulnerable
forky1.12.11+dfsg-4fixed
sid1.12.11+dfsg-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
orthancsource(unstable)1.12.10+dfsg-41133182

Notes

https://kb.cert.org/vuls/id/536588
https://orthanc.uclouvain.be/hg/orthanc/rev/5ce108190752
Search for package or bug name: Reporting problems