CVE-2026-28214

UNKNOWN 0.0

Firebird server hangs when using specific clumplet on batch creation

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the ClumpletReader::getClumpletSize() function can overflow the totalLength value when parsing a Wide type clumplet, causing an infinite loop. An authenticated user with INSERT privileges on any table can exploit this via a crafted Batch Parameter Block to cause a denial of service against the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.

CWE	CWE-190 CWE-835
Vendor	firebirdsql
Product	firebird
Published	Apr 17, 2026

Stay Ahead of the Next One

Get instant alerts for firebirdsql firebird

Be the first to know when new unknown vulnerabilities affecting firebirdsql firebird are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

FirebirdSQL / firebird

>= 3.0.0, < 3.0.14 >= 4.0.0, < 4.0.7 >= 5.0.0, < 5.0.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-7cq5-994r-jhrf github.com: https://github.com/FirebirdSQL/firebird/releases/tag/v3.0.14 github.com: https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.7 github.com: https://github.com/FirebirdSQL/firebird/releases/tag/v5.0.4