Vulnerability CVE-2026-33337: Information

Description

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when deserializing a slice packet, the xdr_datum() function does not validate that a cstring length conforms to the slice descriptor bounds, allowing a cstring longer than the allocated buffer to overflow it. An unauthenticated attacker can exploit this by sending a crafted packet to the server, potentially causing a crash or other security impact. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.

Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
URL: https://nvd.nist.gov/vuln/detail/CVE-2026-33337
Published: April 17, 2026
Modified: April 27, 2026
Error type identifier: CWE-120CWE-502

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
firebirdsisyphus5.0.4-alt15.0.4-alt1ALT-PU-2026-7100-2417095Fixed
firebirdsisyphus_loongarch645.0.4-alt15.0.4-alt1ALT-PU-2026-7495-1-Fixed
firebirdp115.0.4-alt15.0.4-alt1ALT-PU-2026-7136-2417164Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/FirebirdSQL/firebird/releases/tag/v3.0.14
  • Release Notes
https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.7
  • Release Notes
https://github.com/FirebirdSQL/firebird/releases/tag/v5.0.4
  • Release Notes
https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-89mq-229g-x47p
  • Exploit
  • Vendor Advisory
BDU:2026-05714
      1. cpe:2.3:a:firebirdsql:firebird:*:*:*:*:*:*:*:*
        Start including
        3.0.0
        End excluding
        3.0.14
        cpe:2.3:a:firebirdsql:firebird:*:*:*:*:*:*:*:*
        Start including
        4.0.0
        End excluding
        4.0.7
        cpe:2.3:a:firebirdsql:firebird:*:*:*:*:*:*:*:*
        Start including
        5.0.0
        End excluding
        5.0.4
    VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
    Version: v26.2.2
    Back to top