An update for firebird is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2015 Final 1.0 1.0 2026-04-25 Initial 2026-04-25 2026-04-25 openEuler SA Tool V1.0 2026-04-25 firebird security update An update for firebird is now available for openEuler-24.03-LTS-SP1 Firebird is a relational database offering many ANSI SQL standard features that runs on Linux, Windows, MacOS and a variety of Unix platforms. Firebird offers excellent concurrency, high performance, and powerful language support for stored procedures and triggers. It has been used in production systems, under a variety of names, since 1981. Security Fix(es): Firebird is an open-source relational database management system. In versions FB3 of the client library placed incorrect data length values into XSQLDA fields when communicating with FB4 or higher servers, resulting in an information leak. This issue is fixed by upgrading to the FB4 client or higher.(CVE-2025-65104) Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when processing CNCT_specific_data segments during authentication, the server assumes segments arrive in strictly ascending order. If segments arrive out of order, the Array class's grow() method computes a negative size value, causing a SIGSEGV crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.(CVE-2026-27890) Firebird is an open-source relational database management system. In versions prior to 6.0.0, 5.0.4, 4.0.7 and 3.0.14, when processing an op_slice network packet, the server passes an unprepared structure containing a null pointer to the SDL_info() function, resulting in a null pointer dereference and server crash. An unauthenticated attacker can trigger this by sending a crafted packet to the server port. This issue has been fixed in versions 6.0.0, 5.0.4, 4.0.7 and 3.0.14.(CVE-2026-28212) Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the ClumpletReader::getClumpletSize() function can overflow the totalLength value when parsing a Wide type clumplet, causing an infinite loop. An authenticated user with INSERT privileges on any table can exploit this via a crafted Batch Parameter Block to cause a denial of service against the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.(CVE-2026-28214) Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives an op_crypt_key_callback packet without prior authentication, the port_server_crypt_callback handler is not initialized, resulting in a null pointer dereference and server crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.(CVE-2026-28224) Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when deserializing a slice packet, the xdr_datum() function does not validate that a cstring length conforms to the slice descriptor bounds, allowing a cstring longer than the allocated buffer to overflow it. An unauthenticated attacker can exploit this by sending a crafted packet to the server, potentially causing a crash or other security impact. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.(CVE-2026-33337) Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the xdr_status_vector() function does not handle the isc_arg_cstring type when decoding an op_response packet, causing a server crash when one is encountered in the status vector. An unauthenticated attacker can exploit this by sending a crafted op_response packet to the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.(CVE-2026-34232) Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the sdl_desc() function does not validate the length of a decoded SDL descriptor from a slice packet. A zero-length descriptor is later used to calculate the number of slice items, causing a division by zero. An unauthenticated attacker can exploit this by sending a crafted slice packet to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.(CVE-2026-35215) Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes immediately during loading, before Firebird validates the module, achieving code execution as the server's OS account. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.(CVE-2026-40342) An update for firebird is now available for openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical firebird https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2015 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-65104 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-27890 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-28212 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-28214 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-28224 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-33337 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-34232 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-35215 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-40342 https://nvd.nist.gov/vuln/detail/CVE-2025-65104 https://nvd.nist.gov/vuln/detail/CVE-2026-27890 https://nvd.nist.gov/vuln/detail/CVE-2026-28212 https://nvd.nist.gov/vuln/detail/CVE-2026-28214 https://nvd.nist.gov/vuln/detail/CVE-2026-28224 https://nvd.nist.gov/vuln/detail/CVE-2026-33337 https://nvd.nist.gov/vuln/detail/CVE-2026-34232 https://nvd.nist.gov/vuln/detail/CVE-2026-35215 https://nvd.nist.gov/vuln/detail/CVE-2026-40342 openEuler-24.03-LTS-SP1 firebird-4.0.7.3271-1.oe2403sp1.aarch64.rpm firebird-debuginfo-4.0.7.3271-1.oe2403sp1.aarch64.rpm firebird-debugsource-4.0.7.3271-1.oe2403sp1.aarch64.rpm firebird-devel-4.0.7.3271-1.oe2403sp1.aarch64.rpm firebird-utils-4.0.7.3271-1.oe2403sp1.aarch64.rpm libfbclient2-4.0.7.3271-1.oe2403sp1.aarch64.rpm libfbclient2-devel-4.0.7.3271-1.oe2403sp1.aarch64.rpm libib-util-4.0.7.3271-1.oe2403sp1.aarch64.rpm firebird-4.0.7.3271-1.oe2403sp1.src.rpm firebird-4.0.7.3271-1.oe2403sp1.x86_64.rpm firebird-debuginfo-4.0.7.3271-1.oe2403sp1.x86_64.rpm firebird-debugsource-4.0.7.3271-1.oe2403sp1.x86_64.rpm firebird-devel-4.0.7.3271-1.oe2403sp1.x86_64.rpm firebird-utils-4.0.7.3271-1.oe2403sp1.x86_64.rpm libfbclient2-4.0.7.3271-1.oe2403sp1.x86_64.rpm libfbclient2-devel-4.0.7.3271-1.oe2403sp1.x86_64.rpm libib-util-4.0.7.3271-1.oe2403sp1.x86_64.rpm firebird-help-4.0.7.3271-1.oe2403sp1.noarch.rpm Firebird is an open-source relational database management system. In versions FB3 of the client library placed incorrect data length values into XSQLDA fields when communicating with FB4 or higher servers, resulting in an information leak. This issue is fixed by upgrading to the FB4 client or higher. 2026-04-25 CVE-2025-65104 openEuler-24.03-LTS-SP1 High 7.9 AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L firebird security update 2026-04-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2015 Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when processing CNCT_specific_data segments during authentication, the server assumes segments arrive in strictly ascending order. If segments arrive out of order, the Array class's grow() method computes a negative size value, causing a SIGSEGV crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14. 2026-04-25 CVE-2026-27890 openEuler-24.03-LTS-SP1 High 8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H firebird security update 2026-04-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2015 Firebird is an open-source relational database management system. In versions prior to 6.0.0, 5.0.4, 4.0.7 and 3.0.14, when processing an op_slice network packet, the server passes an unprepared structure containing a null pointer to the SDL_info() function, resulting in a null pointer dereference and server crash. An unauthenticated attacker can trigger this by sending a crafted packet to the server port. This issue has been fixed in versions 6.0.0, 5.0.4, 4.0.7 and 3.0.14. 2026-04-25 CVE-2026-28212 openEuler-24.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H firebird security update 2026-04-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2015 Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the ClumpletReader::getClumpletSize() function can overflow the totalLength value when parsing a Wide type clumplet, causing an infinite loop. An authenticated user with INSERT privileges on any table can exploit this via a crafted Batch Parameter Block to cause a denial of service against the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14. 2026-04-25 CVE-2026-28214 openEuler-24.03-LTS-SP1 Medium 6.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L firebird security update 2026-04-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2015 Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives an op_crypt_key_callback packet without prior authentication, the port_server_crypt_callback handler is not initialized, resulting in a null pointer dereference and server crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14. 2026-04-25 CVE-2026-28224 openEuler-24.03-LTS-SP1 High 8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H firebird security update 2026-04-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2015 Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when deserializing a slice packet, the xdr_datum() function does not validate that a cstring length conforms to the slice descriptor bounds, allowing a cstring longer than the allocated buffer to overflow it. An unauthenticated attacker can exploit this by sending a crafted packet to the server, potentially causing a crash or other security impact. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14. 2026-04-25 CVE-2026-33337 openEuler-24.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H firebird security update 2026-04-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2015 Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the xdr_status_vector() function does not handle the isc_arg_cstring type when decoding an op_response packet, causing a server crash when one is encountered in the status vector. An unauthenticated attacker can exploit this by sending a crafted op_response packet to the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14. 2026-04-25 CVE-2026-34232 openEuler-24.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H firebird security update 2026-04-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2015 Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the sdl_desc() function does not validate the length of a decoded SDL descriptor from a slice packet. A zero-length descriptor is later used to calculate the number of slice items, causing a division by zero. An unauthenticated attacker can exploit this by sending a crafted slice packet to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14. 2026-04-25 CVE-2026-35215 openEuler-24.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H firebird security update 2026-04-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2015 Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes immediately during loading, before Firebird validates the module, achieving code execution as the server's OS account. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14. 2026-04-25 CVE-2026-40342 openEuler-24.03-LTS-SP1 Critical 9.9 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H firebird security update 2026-04-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2015