Cisco Talos Details Heap Overflow in Orthanc DICOM Server via Malformed Medical Images
Cisco Talos researchers have disclosed a heap overflow vulnerability in the Orthanc DICOM server that can be triggered by uploading a specially crafted DICOM file, potentially compromising hospital PACS systems.
Cisco Talos researchers have published a detailed technical analysis demonstrating how a heap overflow vulnerability can be created and exploited in the Orthanc DICOM server, a widely used medical imaging platform. The attack is triggered when a malformed DICOM file is uploaded to the server during the image ingestion process, leading to an out-of-bounds write that could allow an attacker to execute arbitrary code or crash the service.
The research, released on May 28, 2026, focuses on the parsing flaws inherent in the DICOM file format, which is the international standard for transmitting, storing, and sharing medical images. DICOM is notoriously complex, and its widespread use in hospital Picture Archiving and Communication Systems (PACS) makes it an attractive target. Many PACS systems are configured to automatically ingest files received over the network, meaning a single malformed image could trigger a vulnerable decoder without any user interaction.
Talos researchers examined the inner workings of several DICOM libraries, including Pydicom and GDCM, to understand how crafted files can exploit memory management weaknesses. The case study specifically targets Orthanc, an open-source DICOM server that is popular in both clinical and research settings due to its lightweight design and RESTful API. By sending a specially crafted DICOM file to Orthanc's upload endpoint, the researchers were able to trigger a heap overflow, demonstrating a concrete attack path from file upload to memory corruption.
The vulnerability lies in how Orthanc handles certain DICOM data elements during parsing. When the server processes a malformed file, it fails to properly validate the size of data buffers, leading to an out-of-bounds write on the heap. This type of flaw is particularly dangerous because it can be leveraged for arbitrary code execution, potentially giving an attacker full control over the medical imaging server and the sensitive patient data it stores.
While the Talos report does not assign a specific CVE identifier to this vulnerability, it serves as a proof-of-concept for the broader class of DICOM parsing bugs. The researchers emphasize that the issue is not limited to Orthanc alone; any system that relies on Pydicom, GDCM, or similar libraries for automatic DICOM ingestion could be at risk. The white paper includes detailed technical steps for reproducing the heap overflow, which will allow developers and security teams to audit their own deployments.
Healthcare organizations that use Orthanc or other DICOM-based systems should immediately review their network configurations to ensure that image upload endpoints are not exposed to untrusted networks. Until patches are available, administrators can mitigate the risk by implementing strict input validation, network segmentation, and manual review of incoming DICOM files. The Talos research underscores the ongoing challenge of securing legacy medical protocols that were not designed with modern threat models in mind.