Vulnerability CVE-2026-28212: Information

Description

Firebird is an open-source relational database management system. In versions prior to 6.0.0, 5.0.4, 4.0.7 and 3.0.14, when processing an op_slice network packet, the server passes an unprepared structure containing a null pointer to the SDL_info() function, resulting in a null pointer dereference and server crash. An unauthenticated attacker can trigger this by sending a crafted packet to the server port. This issue has been fixed in versions 6.0.0, 5.0.4, 4.0.7 and 3.0.14.

Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
URL: https://nvd.nist.gov/vuln/detail/CVE-2026-28212
Published: April 17, 2026
Modified: April 24, 2026
Error type identifier: CWE-476

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
firebirdsisyphus5.0.4-alt15.0.4-alt1ALT-PU-2026-7100-2417095Fixed
firebirdsisyphus_loongarch645.0.4-alt15.0.4-alt1ALT-PU-2026-7495-1-Fixed
firebirdp115.0.4-alt15.0.4-alt1ALT-PU-2026-7136-2417164Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/FirebirdSQL/firebird/releases/tag/v3.0.14
  • Release Notes
https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.7
  • Release Notes
https://github.com/FirebirdSQL/firebird/releases/tag/v5.0.4
  • Release Notes
https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-9884-9qm3-hqch
  • Exploit
  • Vendor Advisory
BDU:2026-05715
      1. cpe:2.3:a:firebirdsql:firebird:*:*:*:*:*:*:*:*
        End excluding
        3.0.14
        cpe:2.3:a:firebirdsql:firebird:*:*:*:*:*:*:*:*
        Start including
        4.0.0
        End excluding
        4.0.7
        cpe:2.3:a:firebirdsql:firebird:*:*:*:*:*:*:*:*
        Start including
        5.0.0
        End excluding
        5.0.4
    VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
    Version: v26.2.2
    Back to top