Hello, Most of this CVE is related to DCMTK, not to Orthanc, as can be seen in the patch "dcmtk-3.7.0-max-nested-sequence.patch" that is contained in the referred changeset: https://orthanc.uclouvain.be/hg/orthanc/rev/bae99026ca97
An associated bug should first be filled against the Debian "dcmtk" package, before the CVE can be fixed in the Debian "orthanc" package itself. The "dcmtk" package must be fixed by introducing the following upstream patch: https://github.com/DCMTK/dcmtk/commit/885ff0f10372bd589b5f44cea974f28a3964cb0f Regards, Sébastien- On Tue, 2 Jun 2026 at 19:45, Moritz Mühlenhoff <[email protected]> wrote: > > Source: orthanc > X-Debbugs-CC: [email protected] > Severity: important > Tags: security > > Hi, > > The following vulnerability was published for orthanc. > > CVE-2026-10528[0]: > | A security flaw has been discovered in Orthanc DICOM Server up to > | 1.12.11. This issue affects the function DcmItem::read of the file > | OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp of the > | component DCMTK Parser. Performing a manipulation results in stack- > | based buffer overflow. Attacking locally is a requirement. The > | exploit has been released to the public and may be used for attacks. > | The patch is named bae99026ca97. To fix this issue, it is > | recommended to deploy a patch. > > https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=258 > https://orthanc.uclouvain.be/hg/orthanc/rev/bae99026ca97 > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2026-10528 > https://www.cve.org/CVERecord?id=CVE-2026-10528 > > Please adjust the affected versions in the BTS as needed.
