CVE-2026-33337
Published: 17 April 2026
Summary
CVE-2026-33337 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Firebirdsql Firebird. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Applying vendor patches directly remediates the buffer overflow flaw in Firebird's xdr_datum function during slice packet deserialization.
Validating cstring lengths against slice descriptor bounds in incoming packets prevents buffer overflows from malformed inputs.
Memory protection safeguards like ASLR and DEP mitigate exploitation of the buffer overflow even if input validation fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated buffer overflow in public-facing DB server (xdr_datum deserialization) directly enables T1190 for initial exploitation and T1499.004 for resulting application/system DoS via crafted packet crash.
NVD Description
Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when deserializing a slice packet, the xdr_datum() function does not validate that a cstring length conforms to the slice descriptor bounds, allowing a cstring…
more
longer than the allocated buffer to overflow it. An unauthenticated attacker can exploit this by sending a crafted packet to the server, potentially causing a crash or other security impact. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
Deeper analysisAI
CVE-2026-33337 is a buffer overflow vulnerability in Firebird, an open-source relational database management system. It affects versions prior to 5.0.4, 4.0.7, and 3.0.14. The issue occurs in the xdr_datum() function during deserialization of a slice packet, where it fails to validate that a cstring length conforms to the slice descriptor bounds. This allows a cstring longer than the allocated buffer to overflow it. The vulnerability is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-120 (Buffer Copy without Checking Size of Input) and CWE-502 (Deserialization of Untrusted Data).
An unauthenticated remote attacker can exploit this vulnerability by sending a crafted packet to the Firebird server. Successful exploitation may cause a denial-of-service such as a server crash, with potential for other security impacts depending on the overflow's effects.
Firebird has addressed the issue in versions 5.0.4, 4.0.7, and 3.0.14. Security practitioners should upgrade to these patched releases, available at the project's GitHub release pages. Additional details are provided in the security advisory at https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-89mq-229g-x47p.
Details
- CWE(s)