Donate Telegram

CVE-2026-5438

NONE EPSS 0.06%

Apr 09, 2026

Updated Apr 09, 2026

Payload

Parameter	Value
Vendor	Payload
Public PoC	No

A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.

References 3

https://kb.cert.org/vuls/id/536588

https://www.machinespirits.de/

https://www.orthanc-server.com/

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-40922

Payload

CVE-2026-35469

Payload

CVE-2026-40901

Payload

CVE-2024-8010

Payload

CVE-2025-40899

Payload

CVE Details

CVE ID

CVE-2026-5438

Published Date

Apr 09, 2026

Vendor

Payload

Severity

NONE

Exploit Prediction (EPSS)

Probability of Exploit 0.06%

Likelihood of exploitation in next 30 days

Percentile: 17.1th percentile (higher than 17.1% of all CVEs)

Standard patching cycle

Impact

Minimal impact

Source

Editor's Choice