CVE-2026-28224
Published: 17 April 2026
Summary
CVE-2026-28224 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Firebirdsql Firebird. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 37.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses the vulnerability by applying vendor patches (versions 5.0.4, 4.0.7, 3.0.14) that fix the null pointer dereference in the unauthenticated packet handler.
Information input validation checks for prior authentication before processing op_crypt_key_callback packets, preventing the uninitialized handler from being invoked.
Denial-of-service protection implements mechanisms to mitigate remote unauthenticated crashes and detect repeated attack attempts targeting server availability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote attackers to crash the Firebird database server via a crafted packet, directly enabling endpoint denial of service through application exploitation (T1499.004).
NVD Description
Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives an op_crypt_key_callback packet without prior authentication, the port_server_crypt_callback handler is not initialized, resulting in a null pointer dereference and server…
more
crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
Deeper analysisAI
CVE-2026-28224 is a null pointer dereference vulnerability (CWE-476) in Firebird, an open-source relational database management system. It affects versions prior to 5.0.4, 4.0.7, and 3.0.14. The issue occurs when the server receives an op_crypt_key_callback packet without prior authentication, as the port_server_crypt_callback handler is not initialized, leading to a server crash. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H), highlighting its high severity due to network accessibility and availability impact.
An unauthenticated attacker who knows only the Firebird server's IP address and port can exploit this flaw remotely. By sending a specially crafted op_crypt_key_callback packet, the attacker triggers the null pointer dereference, causing a denial-of-service condition through server crash. No authentication or user interaction is required, making it straightforward to execute repeated attacks that disrupt database availability.
Firebird has addressed this vulnerability in the fixed releases: version 5.0.4, 4.0.7, and 3.0.14. Security practitioners should upgrade to these versions immediately. Additional details are available in the Firebird GitHub security advisory (GHSA-xrcw-wpjx-pr95) and corresponding release notes.
Details
- CWE(s)