CVE-2026-35215
Received Received - Intake
Division by Zero Vulnerability in Firebird sdl_desc() Causes Server Crash

Publication date: 2026-04-17

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the sdl_desc() function does not validate the length of a decoded SDL descriptor from a slice packet. A zero-length descriptor is later used to calculate the number of slice items, causing a division by zero. An unauthenticated attacker can exploit this by sending a crafted slice packet to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-14
NVD
CVE-2026-35215
EUVD
EUVD-2026-23490
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
firebirdsql firebird From 4.0.0 (inc) to 4.0.7 (exc)
firebirdsql firebird From 5.0.0 (inc) to 5.0.4 (exc)
firebirdsql firebird From 3.0.0 (inc) to 3.0.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-369 The product divides a value by zero.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Firebird open-source relational database management system in versions prior to 5.0.4, 4.0.7, and 3.0.14. The issue is in the sdl_desc() function, which fails to validate the length of a decoded SDL descriptor from a slice packet. If the descriptor length is zero, it is used to calculate the number of slice items, leading to a division by zero error. An unauthenticated attacker can exploit this by sending a specially crafted slice packet to crash the server.

Impact Analysis

The vulnerability can cause a denial of service by crashing the Firebird database server when an attacker sends a crafted slice packet. Since the attacker does not need to be authenticated, this can lead to server downtime and disruption of services relying on the database.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Firebird to version 5.0.4, 4.0.7, or 3.0.14 or later, where the issue has been fixed.

Compliance Impact

The vulnerability allows an unauthenticated attacker to cause a denial of service by crashing the Firebird database server through a crafted slice packet. This results in availability impact (denial of service) but does not affect confidentiality or integrity.

Since the vulnerability does not lead to unauthorized access or data leakage, its direct impact on compliance with data protection regulations such as GDPR or HIPAA is limited. However, the denial of service could affect system availability, which is a component of these regulations' requirements for ensuring reliable access to data.

Organizations relying on Firebird should consider this vulnerability in their risk assessments and apply patches to maintain compliance with availability requirements under such standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35215. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart