Cyber Posture

CVE-2026-28224

HighPublic PoC

Published: 17 April 2026

Published
17 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0030 53.4th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives an op_crypt_key_callback packet without prior authentication, the port_server_crypt_callback handler is not initialized, resulting in a null pointer dereference and server…

more

crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Flaw remediation directly addresses the vulnerability by applying vendor patches (versions 5.0.4, 4.0.7, 3.0.14) that fix the null pointer dereference in the unauthenticated packet handler.

SI-10 Information Input Validation good match
prevent

Information input validation checks for prior authentication before processing op_crypt_key_callback packets, preventing the uninitialized handler from being invoked.

SC-5 Denial-of-service Protection partial match
preventdetect

Denial-of-service protection implements mechanisms to mitigate remote unauthenticated crashes and detect repeated attack attempts targeting server availability.

Security SummaryAI

CVE-2026-28224 is a null pointer dereference vulnerability (CWE-476) in Firebird, an open-source relational database management system. It affects versions prior to 5.0.4, 4.0.7, and 3.0.14. The issue occurs when the server receives an op_crypt_key_callback packet without prior authentication, as the port_server_crypt_callback handler is not initialized, leading to a server crash. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H), highlighting its high severity due to network accessibility and availability impact.

An unauthenticated attacker who knows only the Firebird server's IP address and port can exploit this flaw remotely. By sending a specially crafted op_crypt_key_callback packet, the attacker triggers the null pointer dereference, causing a denial-of-service condition through server crash. No authentication or user interaction is required, making it straightforward to execute repeated attacks that disrupt database availability.

Firebird has addressed this vulnerability in the fixed releases: version 5.0.4, 4.0.7, and 3.0.14. Security practitioners should upgrade to these versions immediately. Additional details are available in the Firebird GitHub security advisory (GHSA-xrcw-wpjx-pr95) and corresponding release notes.

Details

CWE(s)
CWE-476

Affected Products

firebirdsql
firebird
≤ 3.0.14 · 4.0.0 — 4.0.7 · 5.0.0 — 5.0.4

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

The vulnerability allows unauthenticated remote attackers to crash the Firebird database server via a crafted packet, directly enabling endpoint denial of service through application exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References