CVE-2026-5442 Heap Buffer Overflow in DICOM Image Decoder via VR UL Dimensions

A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation VR Unsigned Long UL, instead of the expected VR Unsigned Short US, which allows extremely large dimensions to be processed. This causes an integer overflow during frame...

CVE-2026-5443 Heap Buffer Overflow in DICOM Image Decoder (Palette Color Decode)

A heap buffer overflow vulnerability exists during the decoding of PALETTE COLOR DICOM images. Pixel length validation uses 32-bit multiplication for width and height calculations. If these values overflow, the validation check incorrectly succeeds, allowing the decoder to read and write to memor...

CVE-2026-5445 Out-of-Bounds Read in DicomImageDecoder (DecodeLookupTable)

An out-of-bounds read vulnerability exists in the DecodeLookupTable function within DicomImageDecoder.cpp. The lookup-table decoding logic used for PALETTE COLOR images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size...

CVE-2026-5445

An out-of-bounds read vulnerability exists in DecodeLookupTable within DicomImageDecoder.cpp. The lookup-table decoding logic for PALETTE COLOR images fails to validate pixel indices against the lookup table size, allowing crafted images with indices larger than the palette to read beyond allocat...

CVE-2026-5445

An out-of-bounds read vulnerability exists in the DecodeLookupTable function within DicomImageDecoder.cpp. The lookup-table decoding logic used for PALETTE COLOR images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size...

CVE-2026-5441 Out-of-Bounds Read in DicomImageDecoder (PMSCT_RLE1 Decompression)

An out-of-bounds read vulnerability exists in the DecodePsmctRle1 function of DicomImageDecoder.cpp. The PMSCTRLE1 decompression routine, which decodes the proprietary Philips Compression format, does not properly validate escape markers placed near the end of the compressed data stream. A crafte...

CVE-2026-5441 Out-of-Bounds Read in DicomImageDecoder (PMSCT_RLE1 Decompression)

An out-of-bounds read vulnerability exists in the DecodePsmctRle1 function of DicomImageDecoder.cpp. The PMSCTRLE1 decompression routine, which decodes the proprietary Philips Compression format, does not properly validate escape markers placed near the end of the compressed data stream. A crafte...

CVE-2026-5441

An out-of-bounds read vulnerability exists in the DecodePsmctRle1 function of DicomImageDecoder.cpp. The PMSCTRLE1 decompression routine, which decodes the proprietary Philips Compression format, does not properly validate escape markers placed near the end of the compressed data stream. A crafte...

CVE-2026-5441

The CVE-2026-5441 entry concerns an out-of-bounds read in the DicomImageDecoder.cpp DecodePsmctRle1 function used by the PMSCT_RLE1 decompression routine (Philips proprietary format). The vulnerability stems from inadequate validation of escape markers near the end of the compressed data stream, ...

Orthanc 安全漏洞

Orthanc is a free open-source software developed by the Orthanc company. Orthanc has a security vulnerability, which stems from a heap buffer overflow in the DICOM image decoder. This vulnerability may lead to integer overflows and out-of-bound memory accesses during image decoding...

PT-2026-31634

Name of the Vulnerable Software and Affected Versions DicomImageDecoder affected versions not specified Description An out-of-bounds read issue exists in the DecodeLookupTable function within DicomImageDecoder.cpp. The lookup-table decoding logic for PALETTE COLOR images does not validate pixel...

PT-2026-31631

A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation VR Unsigned Long UL, instead of the expected VR Unsigned Short US, which allows extremely large dimensions to be processed. This causes an integer overflow during frame...

PT-2026-31630

An out-of-bounds read vulnerability exists in the DecodePsmctRle1 function of DicomImageDecoder.cpp. The PMSCT RLE1 decompression routine, which decodes the proprietary Philips Compression format, does not properly validate escape markers placed near the end of the compressed data stream. A craft...

Linux Distros Unpatched Vulnerability : CVE-2026-5441

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An out-of-bounds read vulnerability exists in the DecodePsmctRle1 function of DicomImageDecoder.cpp. The PMSCTRLE1 decompression routine, which decodes the...

Linux Distros Unpatched Vulnerability : CVE-2026-5445

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An out-of-bounds read vulnerability exists in the DecodeLookupTable function within DicomImageDecoder.cpp. The lookup-table decoding logic used for PALETTE COLO...

Linux Distros Unpatched Vulnerability : CVE-2026-5442

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation VR Unsigned Long UL, instead of...

CLSA-2026-1775669856 ImageMagick: Fix of CVE-2026-25986

CVE-2026-25986: heap buffer overflow write in YUV decoder when image dimensions are not properly validated...

CLSA-2026-1775670018 ImageMagick: Fix of CVE-2026-25986

CVE-2026-25986: heap buffer overflow write in YUV decoder when image dimensions are not properly validated...

EUVD-2026-19348

OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write...

GHSA-P8XC-W3Q4-H64X OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write

Summary The DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store. This bug is reachable from the...