{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dicom/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Orthanc","Pydicom","GDCM"],"_cs_severities":["high"],"_cs_tags":["dicom","heap overflow","orthanc","medical imaging"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA heap overflow vulnerability has been discovered in the handling of DICOM files, potentially affecting systems that automatically ingest and process these files. This vulnerability can be exploited by crafting malicious DICOM files that trigger an out-of-bounds write when parsed. The research highlights the risks associated with automated DICOM processing, particularly in Picture Archiving and Communication Systems (PACS) used in hospitals. The focus of the research is to demonstrate how an Orthanc server can be targeted during image upload, leading to a heap overflow.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious DICOM file designed to exploit the heap overflow vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the crafted DICOM file to an Orthanc server via HTTP.\u003c/li\u003e\n\u003cli\u003eThe Orthanc server receives the DICOM file and initiates the parsing process.\u003c/li\u003e\n\u003cli\u003eDuring parsing, the vulnerable DICOM decoder within Orthanc attempts to allocate memory based on malformed data in the DICOM file.\u003c/li\u003e\n\u003cli\u003eDue to incorrect size calculations, the decoder allocates an insufficient buffer on the heap.\u003c/li\u003e\n\u003cli\u003eWhen the decoder attempts to write data into the undersized buffer, it overflows into adjacent memory regions on the heap.\u003c/li\u003e\n\u003cli\u003eThis out-of-bounds write corrupts critical data structures, potentially leading to arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the Orthanc server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful heap overflow exploit could allow an attacker to execute arbitrary code on the Orthanc server. This could lead to unauthorized access to sensitive medical images and patient data stored within the PACS system. Compromise of a PACS server could disrupt hospital operations, violate patient privacy, and potentially impact patient care. While the number of affected installations is unknown, the widespread use of DICOM and Orthanc in healthcare makes this a potentially significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect suspicious DICOM file uploads based on file size and source IP to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor Orthanc server logs for errors related to DICOM parsing and memory allocation.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for all DICOM files processed by Orthanc servers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T10:02:49Z","date_published":"2026-05-28T10:02:49Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dicom-heap-overflow/","summary":"A heap overflow vulnerability exists within the DICOM file format, potentially allowing an attacker to target an Orthanc server during image uploads, leading to an out-of-bounds write.","title":"DICOM Heap Overflow in Orthanc Server","url":"https://feed.craftedsignal.io/briefs/2026-05-dicom-heap-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Dicom","version":"https://jsonfeed.org/version/1.1"}