CVE-2026-34232
Published: 17 April 2026
Summary
CVE-2026-34232 is a high-severity Improper Handling of Syntactically Invalid Structure (CWE-228) vulnerability in Firebirdsql Firebird. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates this CVE by applying vendor patches (versions 5.0.4, 4.0.7, 3.0.14) that fix the xdr_status_vector() mishandling of isc_arg_cstring in op_response packets.
Information input validation enforces proper checking of incoming op_response packet structures, preventing crashes from malformed status vectors containing isc_arg_cstring types.
Error handling ensures the xdr_status_vector() function processes invalid isc_arg_cstring types without causing a server crash, maintaining availability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote unauthenticated exploitation of the Firebird server to cause a crash, directly mapping to Endpoint Denial of Service via Application or System Exploitation (T1499.004).
NVD Description
Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the xdr_status_vector() function does not handle the isc_arg_cstring type when decoding an op_response packet, causing a server crash when one is encountered in the…
more
status vector. An unauthenticated attacker can exploit this by sending a crafted op_response packet to the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
Deeper analysisAI
CVE-2026-34232 is a denial-of-service vulnerability in Firebird, an open-source relational database management system. The issue resides in the xdr_status_vector() function, which fails to properly handle the isc_arg_cstring type during decoding of an op_response packet. This mishandling triggers a server crash when such a type appears in the status vector. Affected versions include those prior to 5.0.4, 4.0.7, and 3.0.14. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-228 (Improper Handling of Syntactically Invalid Structure).
An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted op_response packet to the Firebird server, causing it to crash and resulting in a denial of service. No authentication, user interaction, or special privileges are required, making it accessible over the network with low complexity.
The Firebird project has addressed this issue in the following releases: 5.0.4, 4.0.7, and 3.0.14. Security practitioners should upgrade to one of these patched versions. Additional details are available in the project's security advisory at https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-7jq3-6j3c-5cm2 and the corresponding release notes at https://github.com/FirebirdSQL/firebird/releases/tag/v3.0.14, https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.7, and https://github.com/FirebirdSQL/firebird/releases/tag/v5.0.4.
Details
- CWE(s)