High severity7.5NVD Advisory· Published Apr 9, 2026· Updated Apr 15, 2026
CVE-2026-5438
CVE-2026-5438
Description
A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with Content-Encoding: gzip. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:orthanc-server:orthanc:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:orthanc-server:orthanc:*:*:*:*:*:*:*:*range: <1.12.11
- (no CPE)
Patches
Vulnerability mechanics
References
3- kb.cert.org/vuls/id/536588nvdThird Party AdvisoryVDB Entry
- www.machinespirits.denvdNot Applicable
- www.orthanc-server.comnvdProduct
News mentions
0No linked articles in our index yet.