DEBIAN-CVE-2026-5439

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-5439
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-5439.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-5439
Upstream
  • CVE-2026-5439
Published
2026-04-09T15:16:15.443Z
Modified
2026-04-28T20:31:44.852495Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.

References

Affected packages

Debian:11 / orthanc

Package

Name
orthanc
Purl
pkg:deb/debian/orthanc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.9.2+really1.9.1+dfsg-1
1.9.2+really1.9.1+dfsg-1+deb11u1
1.9.2+really1.9.1+dfsg-1+deb11u2
1.9.3+dfsg-1
1.9.5+dfsg-1
1.9.6+dfsg-1
1.9.7+dfsg-1
1.9.7+dfsg-2
1.9.7+dfsg-3
1.9.7+dfsg-4
1.9.7+dfsg-5
1.9.7+dfsg-6
1.10.0+dfsg-1
1.10.1+dfsg-1
1.10.1+dfsg-2
1.12.1+dfsg-1
1.12.1+dfsg-2
1.12.1+dfsg-3
1.12.1+dfsg-4
1.12.2+dfsg-1
1.12.3+dfsg-1
1.12.3+dfsg-2
1.12.4+dfsg-1
1.12.4+dfsg-2
1.12.4+dfsg-3
1.12.4+dfsg-4
1.12.5+dfsg-1
1.12.5+dfsg-2
1.12.6+dfsg-1
1.12.7+dfsg-1
1.12.7+dfsg-2
1.12.7+dfsg-3
1.12.7+dfsg-4
1.12.9+dfsg-1
1.12.9+dfsg-2
1.12.10+dfsg-1
1.12.10+dfsg-2
1.12.10+dfsg-3
1.12.10+dfsg-4
1.12.10+dfsg-5
1.12.11+dfsg-1
1.12.11+dfsg-2
1.12.11+dfsg-3
1.12.11+dfsg-4
1.12.11+dfsg-5
1.12.11+dfsg-6

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-5439.json"

Debian:12 / orthanc

Package

Name
orthanc
Purl
pkg:deb/debian/orthanc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.10.1+dfsg-2
1.10.1+dfsg-2+deb12u1
1.12.1+dfsg-1
1.12.1+dfsg-2
1.12.1+dfsg-3
1.12.1+dfsg-4
1.12.2+dfsg-1
1.12.3+dfsg-1
1.12.3+dfsg-2
1.12.4+dfsg-1
1.12.4+dfsg-2
1.12.4+dfsg-3
1.12.4+dfsg-4
1.12.5+dfsg-1
1.12.5+dfsg-2
1.12.6+dfsg-1
1.12.7+dfsg-1
1.12.7+dfsg-2
1.12.7+dfsg-3
1.12.7+dfsg-4
1.12.9+dfsg-1
1.12.9+dfsg-2
1.12.10+dfsg-1
1.12.10+dfsg-2
1.12.10+dfsg-3
1.12.10+dfsg-4
1.12.10+dfsg-5
1.12.11+dfsg-1
1.12.11+dfsg-2
1.12.11+dfsg-3
1.12.11+dfsg-4
1.12.11+dfsg-5
1.12.11+dfsg-6

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-5439.json"

Debian:13 / orthanc

Package

Name
orthanc
Purl
pkg:deb/debian/orthanc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.12.7+dfsg-4
1.12.9+dfsg-1
1.12.9+dfsg-2
1.12.10+dfsg-1
1.12.10+dfsg-2
1.12.10+dfsg-3
1.12.10+dfsg-4
1.12.10+dfsg-5
1.12.11+dfsg-1
1.12.11+dfsg-2
1.12.11+dfsg-3
1.12.11+dfsg-4
1.12.11+dfsg-5
1.12.11+dfsg-6

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-5439.json"

Debian:14 / orthanc

Package

Name
orthanc
Purl
pkg:deb/debian/orthanc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.12.10+dfsg-4

Affected versions

1.*
1.12.7+dfsg-4
1.12.9+dfsg-1
1.12.9+dfsg-2
1.12.10+dfsg-1
1.12.10+dfsg-2
1.12.10+dfsg-3

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-5439.json"