Description
Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the xdr_status_vector() function does not handle the isc_arg_cstring type when decoding an op_response packet, causing a server crash when one is encountered in the status vector. An unauthenticated attacker can exploit this by sending a crafted op_response packet to the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
Published: 2026-04-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Firebird is a widely used open‑source relational database. In versions before 5.0.4, 4.0.7 and 3.0.14 the xdr_status_vector() routine does not correctly handle isc_arg_cstring arguments when decoding an op_response packet, so an attacker can send a crafted packet that causes the server to crash. The crash terminates the database process and results in a denial of service that can affect all clients. The weakness corresponds to CWE‑228, which involves terminating the application due to an unexpected exception.

Affected Systems

FirebirdSQL Firebird database server. Versions preceding 5.0.4, 4.0.7 and 3.0.14 are vulnerable. The issue is fixed in releases 5.0.4 and later, 4.0.7 and later, or 3.0.14 and later.

Risk and Exploitability

The vulnerability scores 7.5 on CVSS, indicating high impact. EPSS is not available and the vulnerability is not listed in CISA KEV. An unauthenticated attacker can exploit it by sending a malformed op_response packet to the Firebird port, which causes the server to crash and be unavailable to all clients. The effect is reachable from any host with network access to the database service and leads to a denial of service.

Generated by OpenCVE AI on April 18, 2026 at 09:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Firebird server to release 5.0.4 or later, 4.0.7 or later, or 3.0.14 or later, which includes the patch for this issue.
  • Configure network controls to block or restrict untrusted traffic from reaching the Firebird port until the upgrade is completed.
  • Monitor the database server logs for unexpected crashes and ensure that the process restarts automatically, indicating that the patch is effective.

Generated by OpenCVE AI on April 18, 2026 at 09:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Firebirdsql
Firebirdsql firebird
Vendors & Products Firebirdsql
Firebirdsql firebird

Fri, 17 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the xdr_status_vector() function does not handle the isc_arg_cstring type when decoding an op_response packet, causing a server crash when one is encountered in the status vector. An unauthenticated attacker can exploit this by sending a crafted op_response packet to the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
Title Firebird: DoS via `op_response` packet from client
Weaknesses CWE-228
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Firebirdsql Firebird
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T18:52:11.693Z

Reserved: 2026-03-26T16:22:29.034Z

Link: CVE-2026-34232

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-17T20:16:34.977

Modified: 2026-04-17T20:16:34.977

Link: CVE-2026-34232

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:15:15Z

Weaknesses