CVE-2026-35215
Division by Zero Vulnerability in Firebird sdl_desc() Causes Server Crash
Publication date: 2026-04-17
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| firebirdsql | firebird | From 4.0.0 (inc) to 4.0.7 (exc) |
| firebirdsql | firebird | From 5.0.0 (inc) to 5.0.4 (exc) |
| firebirdsql | firebird | From 3.0.0 (inc) to 3.0.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-369 | The product divides a value by zero. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Firebird open-source relational database management system in versions prior to 5.0.4, 4.0.7, and 3.0.14. The issue is in the sdl_desc() function, which fails to validate the length of a decoded SDL descriptor from a slice packet. If the descriptor length is zero, it is used to calculate the number of slice items, leading to a division by zero error. An unauthenticated attacker can exploit this by sending a specially crafted slice packet to crash the server.
How can this vulnerability impact me? :
The vulnerability can cause a denial of service by crashing the Firebird database server when an attacker sends a crafted slice packet. Since the attacker does not need to be authenticated, this can lead to server downtime and disruption of services relying on the database.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Firebird to version 5.0.4, 4.0.7, or 3.0.14 or later, where the issue has been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an unauthenticated attacker to cause a denial of service by crashing the Firebird database server through a crafted slice packet. This results in availability impact (denial of service) but does not affect confidentiality or integrity.
Since the vulnerability does not lead to unauthorized access or data leakage, its direct impact on compliance with data protection regulations such as GDPR or HIPAA is limited. However, the denial of service could affect system availability, which is a component of these regulations' requirements for ensuring reliable access to data.
Organizations relying on Firebird should consider this vulnerability in their risk assessments and apply patches to maintain compliance with availability requirements under such standards.