A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Orthanc | DICOM Server | affected |
|
No data.
No data.
No data.
Project Subscriptions
No data.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Thu, 09 Apr 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding. | |
| Title | Heap Buffer Overflow in DICOM Image Decoder via VR UL Dimensions | |
| References |
|
Projects
Sign in to view the affected projects.
MITRE
Status: PUBLISHED
Assigner: certcc
Published:
Updated: 2026-04-09T14:43:43.571Z
Reserved: 2026-04-02T19:22:48.196Z
Link: CVE-2026-5442
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-04-09T15:16:16.543
Modified: 2026-04-09T15:16:16.543
Link: CVE-2026-5442
Redhat
No data.
OpenCVE Enrichment
No data.
Weaknesses
No weakness.