CVE-2026-10528: Orthanc DICOM Server Stack Buffer Overflow – Patch Guidance
Orthanc DICOM Server versions up to 1.12.11 contain a stack-based buffer overflow vulnerability in the DCMTK parser component. The flaw exists in the DcmItem::read function and can be triggered through malicious DICOM file manipulation. An attacker with local system access can exploit this to cause a denial of service condition. The vulnerability has been publicly disclosed with working exploit code available.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.3 LOW · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-119, CWE-121
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
A security flaw has been discovered in Orthanc DICOM Server up to 1.12.11. This issue affects the function DcmItem::read of the file OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp of the component DCMTK Parser. Performing a manipulation results in stack-based buffer overflow. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The patch is named bae99026ca97. To fix this issue, it is recommended to deploy a patch.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10528 is a stack-based buffer overflow (CWE-119, CWE-121) in the DCMTK parser library integrated within Orthanc's DICOM processing pipeline. The vulnerability resides in OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp, specifically in the DcmItem::read function. Insufficient bounds checking during DICOM tag parsing allows a specially crafted DICOM file to overflow the stack, potentially corrupting process memory. The CVSS 3.1 score of 3.3 (LOW severity) reflects the local-only attack vector and availability impact limitation, though the presence of public exploits increases practical risk.
Business impact
Organizations operating Orthanc DICOM servers in clinical or research environments face disruption risk. A compromised local user or an attacker with filesystem access can crash the DICOM service, interrupting medical image processing workflows and requiring manual service restart. While confidentiality and integrity are not directly impacted, availability degradation in healthcare IT infrastructure can have indirect operational and compliance consequences. The low CVSS score should not minimize urgency in environments where Orthanc availability is mission-critical.
Affected systems
Orthanc DICOM Server versions up to and including 1.12.11 are affected. The vulnerability is inherent to the DCMTK parser component used for DICOM file parsing. Systems running newer versions should verify patching status against official vendor advisories. Organizations should audit deployed Orthanc instances for version compliance.
Exploitability
Exploitation requires local system access and the ability to place or cause the processing of a malicious DICOM file. The low barrier to crafting malicious DICOM data (tools exist in the research community) combined with public exploit availability increases practical exploitability for insider threats or post-compromise lateral movement scenarios. Remote exploitation is not possible; the attacker must have local shell or file upload privileges.
Remediation
Upgrade Orthanc to a patched version released after the bae99026ca97 patch commit. Verify the exact patched version against the official Orthanc project advisory, as version numbering and release schedules may vary. Interim mitigation includes restricting local system access via least-privilege principles and monitoring DICOM file upload sources.
Patch guidance
Apply the patch identified as bae99026ca97 in the Orthanc project repository. Organizations should verify the corresponding Orthanc release version that includes this patch by consulting the official Orthanc project site and security advisories. Test patched versions in a staging environment before production deployment, particularly in clinical settings where downtime must be coordinated.
Detection guidance
Monitor Orthanc service logs for unexpected crashes or restarts, particularly when processing DICOM files from untrusted sources. System-level monitoring of stack violations, segmentation faults, or abnormal process termination tied to the Orthanc daemon can indicate exploitation attempts. Implement file integrity monitoring on DICOM input directories to detect suspicious or malformed files. Network segmentation and access controls should restrict which systems and users can submit DICOM files to the server.
Why prioritize this
Despite the LOW CVSS score, this vulnerability merits timely attention because: (1) public exploits are available and lower attack barriers for insiders; (2) Orthanc is often deployed in healthcare settings where availability is operationally sensitive; (3) the local-only requirement is less restrictive in environments with shared or multi-user systems. Organizations should prioritize patching based on whether Orthanc is internet-facing (low risk) or accessible to local or contractor users (higher risk).
Risk score, explained
The CVSS 3.1 score of 3.3 reflects a local attack vector (AV:L), low attack complexity (AC:L), low privilege requirement (PR:L), no user interaction (UI:N), and availability impact only (A:L). The score appropriately downgrades severity due to the local-only constraint and lack of confidentiality or integrity compromise. However, organizations should weigh the score against deployment context: a shared clinical workstation running Orthanc carries different risk than an isolated research server.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The vulnerability requires local system access to place or cause processing of a malicious DICOM file. Remote attackers cannot exploit this directly, though post-compromise lateral movement or insider threats remain concerns.
What is the actual impact of exploitation?
Successful exploitation causes a denial of service via process crash. The attacker cannot read patient data or modify DICOM files; they can only interrupt service availability until Orthanc is restarted.
How do I know if my Orthanc version is affected?
Check your running Orthanc version via the administrative API or logs. If it is 1.12.11 or earlier, verify patching status against the official Orthanc project advisory and upgrade if necessary.
Is there a workaround if I cannot patch immediately?
No full workaround exists, but you can reduce risk by: restricting local user access, implementing strict access controls on DICOM input directories, validating DICOM files before ingestion, and monitoring for crashes. Upgrade as soon as feasible in your change management process.
This analysis is based on publicly available vulnerability data as of the publication date and should not be considered exhaustive security advice. Organizations should verify all patch version numbers, affected software lists, and remediation procedures against official vendor advisories before taking action. SEC.co makes no warranty regarding the completeness or accuracy of this information. Test all patches in non-production environments before deployment. Consult your own security and compliance teams regarding prioritization and deployment timing specific to your infrastructure and risk profile. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10063HIGHTRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
- CVE-2026-10064MEDIUMTRENDnet TEW-432BRP Stack Overflow – Unpatched EOL Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi
- CVE-2026-10066HIGHShibby Tomato Stack Buffer Overflow in UPS Service (RCE)
- CVE-2026-10067HIGHShibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi
- CVE-2026-10119HIGHStack Overflow in TRENDnet TEW-432BRP End-of-Life Router
- CVE-2026-10120HIGHTRENDnet TEW-432BRP Buffer Overflow – No Patch Available