Description
Firebird is an open-source relational database management system. In versions FB3 of the client library placed incorrect data length values into XSQLDA fields when communicating with FB4 or higher servers, resulting in an information leak. This issue is fixed by upgrading to the FB4 client or higher.
Published: 2026-04-17
Score: 7.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Upgrade Client
AI Analysis

Impact

The vulnerability arises because the Firebird 3 client library writes incorrect data length values into XSQLDA fields when a new Firebird 4 or higher server processes those requests. This flaw allows the client to read data that it should not be able to, creating a potential information leak. The flaw is classified as CWE‑200 and carries a CVSS score of 7.9, indicating a high likelihood of serious impact if exploited.

Affected Systems

FirebirdSQL Firebird’s client library version 3 when used to communicate with a Firebird 4 or newer server. Any installation that mixes a FB3 client with a FB4 or higher server is susceptible; the impact spans the client environment and the data exposed through the database connection.

Risk and Exploitability

The CVSS score of 7.9 reflects a high severity, and the EPSS score of <1% indicates a very low exploitation probability, but the exploit is straightforward: any application that loads the FB3 client library and connects to a newer Firebird server can trigger the victim. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, but its exploitation does not require special conditions and could lead to unintended disclosure of sensitive data.

Generated by OpenCVE AI on April 28, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Firebird client library to version 4 or newer to eliminate the incorrect data length write.
  • Verify that all database connections use a client library that matches the server version, and remediate any mismatches.
  • Restrict access to the Firebird service by enforcing network segmentation and least‑privilege principals to reduce the potential impact of any leaked information.

Generated by OpenCVE AI on April 28, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:firebirdsql:firebird:*:*:*:*:*:*:*:*

Fri, 17 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Firebirdsql
Firebirdsql firebird
Vendors & Products Firebirdsql
Firebirdsql firebird

Fri, 17 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description Firebird is an open-source relational database management system. In versions FB3 of the client library placed incorrect data length values into XSQLDA fields when communicating with FB4 or higher servers, resulting in an information leak. This issue is fixed by upgrading to the FB4 client or higher.
Title Firebird: Information leak vulnerability in firebird3 client when used with newer server
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L'}

Subscriptions

Firebirdsql Firebird
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T18:25:11.941Z

Reserved: 2025-11-17T20:55:34.693Z

Link: CVE-2025-65104

cve-icon Vulnrichment

Updated: 2026-04-17T18:25:06.815Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-17T18:16:30.773

Modified: 2026-04-24T20:27:22.923

Link: CVE-2025-65104

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:30:35Z

Weaknesses