CVE-2026-5440

NameCVE-2026-5440
DescriptionA memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1133182

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
orthanc (PTS)bullseye1.9.2+really1.9.1+dfsg-1+deb11u1vulnerable
bullseye (security)1.9.2+really1.9.1+dfsg-1+deb11u2vulnerable
bookworm, bookworm (security)1.10.1+dfsg-2+deb12u1vulnerable
trixie1.12.7+dfsg-4vulnerable
forky1.12.11+dfsg-4fixed
sid1.12.11+dfsg-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
orthancsource(unstable)1.12.10+dfsg-41133182

Notes

https://kb.cert.org/vuls/id/536588
https://orthanc.uclouvain.be/hg/orthanc/rev/5ce108190752
Search for package or bug name: Reporting problems