CVE-2026-28224HIGH 8.2EPSS p36.7%

CVE-2026-28224CVE-2026-28224

Description

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives an op_crypt_key_callback packet without prior authentication, the port_server_crypt_callback handler is not initialized, resulting in a null pointer dereference and server crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS0.46% probability of exploitation · percentile 36.7% · 2026-06-18T12:00:27Z
Published2026-04-17
Last modified2026-04-24

Underlying weaknesses· 1

CWE-476

References

  1. https://github.com/FirebirdSQL/firebird/releases/tag/v3.0.14
  2. https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.7
  3. https://github.com/FirebirdSQL/firebird/releases/tag/v5.0.4
  4. https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-xrcw-wpjx-pr95
  5. https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-xrcw-wpjx-pr95

1

TypeTargetConfidenceTier
WeaknessNULL Pointer Dereferencecwe-4760%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-27890
CVE
CVE-2025-24975
CVE
CVE-2026-40342
CVE
CVE-2025-14179
CVE
CVE-2026-2005
CVE
CVE-2026-33120
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.