CVE-2026-34232
Server Crash via Improper Status Vector Handling in Firebird
Publication date: 2026-04-17
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| firebirdsql | firebird | From 4.0.0 (inc) to 4.0.7 (exc) |
| firebirdsql | firebird | From 5.0.0 (inc) to 5.0.4 (exc) |
| firebirdsql | firebird | From 3.0.0 (inc) to 3.0.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-228 | The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Firebird open-source relational database management system in versions prior to 5.0.4, 4.0.7, and 3.0.14. The issue is in the xdr_status_vector() function, which does not properly handle the isc_arg_cstring type when decoding an op_response packet. When such a packet containing this type is processed, it causes the server to crash.
An unauthenticated attacker can exploit this vulnerability by sending a specially crafted op_response packet to the server, triggering the crash.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) condition caused by the server crashing when processing a maliciously crafted packet. This can disrupt availability of the Firebird database server, potentially causing downtime and loss of service.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Firebird to version 5.0.4, 4.0.7, or 3.0.14 or later, as these versions contain the fix for the issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes a server crash due to improper handling of a specific data type in the status vector, which can be triggered by an unauthenticated attacker sending a crafted packet.
There is no information provided about any impact on data confidentiality, integrity, or availability beyond the server crash, nor about any direct effects on compliance with standards such as GDPR or HIPAA.
Therefore, based on the provided information, it is not possible to determine how this vulnerability affects compliance with common standards and regulations.