CVE-2026-33337

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H                                    

Vulnerability Description

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when deserializing a slice packet, the xdr_datum() function does not validate that a cstring length conforms to the slice descriptor bounds, allowing a cstring longer than the allocated buffer to overflow it. An unauthenticated attacker can exploit this by sending a crafted packet to the server, potentially causing a crash or other security impact. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.

Vulnerability Details

Published Date

April 17, 2026

Last Modified

April 17, 2026

CWE ID

CWE-120

Source

NVD

Vendor

FirebirdSQL

Product

firebird

External References

https://github.com/FirebirdSQL/firebird/releases/tag/v3.0.14
https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.7
https://github.com/FirebirdSQL/firebird/releases/tag/v5.0.4
https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-89mq-229g-x47p

CVE-2026-33337

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment