Orthanc DICOM Server
Out-of-Bounds Read in DICOM Image Decoder (PMSCT_RLE1 Decompression)
The PMSCT_RLE1 decompression routine lacks bounds checks when processing escape markers within compressed image data.
This advisory contains limited information during coordinated disclosure. Please check back later for full details.
Description
Escape markers positioned near the end of the input buffer can cause the PMSCT_RLE1 decoder to read beyond allocated memory, resulting in disclosure of heap data through rendered preview images.
Impact
- Disclosure of heap memory through rendered preview images.
Mitigation
Update Orthanc to version 1.12.11 or later.
References
How We Can Help
Who We Are
The security researchers behind this advisory.
Dr. rer. nat. Simon Weber
Senior Pentester & MedSec Researcher
I evaluate your SaMD with the same industry-defining security insight I contributed to the BAK MV for the revision of the B3S standard.
- PhD on Hospital Cybersecurity
- Critical vulnerabilities found in hospital systems
- Alumni of THB MedSec Research Group
- gematik Security Hero
Dipl.-Inf. Volker Schönefeld
Senior Application Security Expert
As a former CTO and developer turned pentester, I work alongside your team to uncover vulnerabilities and find solutions that fit your architecture.
- 20+ years as CTO, 50M+ app downloads
- Architected and secured large-scale IoT fleets
- Certified Web Exploitation Specialist
- gematik Security Hero
Looking for a Penetration Test?
Machine Spirits specializes in security assessments for medical devices and healthcare IT. From MDR penetration testing to C5 cloud compliance, we help MedTech companies meet regulatory requirements.