Description
Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives an op_crypt_key_callback packet without prior authentication, the port_server_crypt_callback handler is not initialized, resulting in a null pointer dereference and server crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
Published: 2026-04-17
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Null Pointer Dereference
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a null pointer dereference in the port server crypt callback handler when the Firebird server receives an op_crypt_key_callback packet before authentication. This flaw allows an unauthenticated attacker who knows only the server's IP address and listening port to crash the database server, resulting in a denial of service. The weakness corresponds to CWE-476, a null pointer dereference fault that can be triggered without prior authentication.

Affected Systems

FirebirdSQL Firebird database software versions earlier than 5.0.4, 4.0.7, and 3.0.14 are affected. Versions 5.0.4, 4.0.7, and 3.0.14 or newer contain the fix.

Risk and Exploitability

The CVSS score is 8.2, indicating elevated severity. EPSS data is not available, so the likelihood of exploitation is uncertain, but the vulnerability is active and can be triggered remotely by anyone who can reach the Firebird port. The issue is not listed in the CISA KEV catalog, indicating it may not have had widespread exploitation yet, yet the potential for server outage is high given the lack of authentication requirement.

Generated by OpenCVE AI on April 18, 2026 at 09:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Firebird database to version 5.0.4, 4.0.7, or 3.0.14 or later to apply the fixed crypt callback handler.
  • If an upgrade cannot be performed immediately, restrict inbound access to the Firebird port with a firewall or network segmentation to block unauthenticated external traffic.
  • Monitor server logs for abnormal op_crypt_key_callback traffic and set alerts for unexpected crashes to detect ongoing exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 09:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Firebirdsql
Firebirdsql firebird
Vendors & Products Firebirdsql
Firebirdsql firebird

Fri, 17 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives an op_crypt_key_callback packet without prior authentication, the port_server_crypt_callback handler is not initialized, resulting in a null pointer dereference and server crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
Title Firebird Null Pointer Dereference via CryptCallback causes DOS
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Firebirdsql Firebird
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T19:31:38.952Z

Reserved: 2026-02-25T15:28:40.650Z

Link: CVE-2026-28224

cve-icon Vulnrichment

Updated: 2026-04-17T19:31:27.860Z

cve-icon NVD

Status : Received

Published: 2026-04-17T19:16:35.983

Modified: 2026-04-17T20:16:32.460

Link: CVE-2026-28224

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:15:15Z

Weaknesses