{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-28224/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-28224"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-28224","denial-of-service","firebird","database"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-28224 describes a denial-of-service vulnerability affecting Firebird, an open-source relational database management system. The vulnerability exists in versions prior to 5.0.4, 4.0.7, and 3.0.14. An unauthenticated attacker can exploit this vulnerability by sending a crafted \u003ccode\u003eop_crypt_key_callback\u003c/code\u003e packet to the server. When the server receives this packet without prior authentication, the \u003ccode\u003eport_server_crypt_callback\u003c/code\u003e handler is not initialized, resulting in a null pointer dereference. This leads to a server crash, effectively causing a denial-of-service condition. The attacker only needs to know the server\u0026rsquo;s IP address and port to trigger this vulnerability. The vulnerability has been patched in Firebird versions 5.0.4, 4.0.7 and 3.0.14.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Firebird server by scanning for exposed ports (typically 3050).\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a TCP connection with the targeted Firebird server on the identified port.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003eop_crypt_key_callback\u003c/code\u003e packet. This packet does not require prior authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted \u003ccode\u003eop_crypt_key_callback\u003c/code\u003e packet to the Firebird server.\u003c/li\u003e\n\u003cli\u003eUpon receiving the packet, the server attempts to process the request in the \u003ccode\u003eport_server_crypt_callback\u003c/code\u003e handler.\u003c/li\u003e\n\u003cli\u003eBecause no prior authentication has occurred, the \u003ccode\u003eport_server_crypt_callback\u003c/code\u003e handler is not properly initialized, leading to a null pointer dereference.\u003c/li\u003e\n\u003cli\u003eThe null pointer dereference causes the Firebird server process to crash.\u003c/li\u003e\n\u003cli\u003eThe Firebird database server becomes unavailable, resulting in a denial-of-service condition for legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-28224 results in a denial-of-service condition, rendering the Firebird database server unavailable. This can disrupt applications and services that rely on the database, leading to data access issues, application downtime, and potential data loss if proper backup and recovery mechanisms are not in place. The number of affected organizations depends on the prevalence of vulnerable Firebird versions and their exposure to the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Firebird servers to versions 5.0.4, 4.0.7, or 3.0.14 or later to patch CVE-2026-28224.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Unauthenticated Firebird Crypt Callback\u0026rdquo; to your SIEM to identify potential exploitation attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access control lists (ACLs) to restrict access to Firebird servers from untrusted networks, mitigating the risk of unauthorized exploitation (network_connection logs).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious \u003ccode\u003eop_crypt_key_callback\u003c/code\u003e packets being sent to Firebird servers, particularly from untrusted sources (network_connection logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T10:00:00Z","date_published":"2026-04-18T10:00:00Z","id":"/briefs/2026-04-firebird-dos/","summary":"An unauthenticated attacker can trigger a denial-of-service condition on vulnerable Firebird servers by sending a specially crafted op_crypt_key_callback packet, leading to a null pointer dereference and server crash.","title":"Firebird Server Denial-of-Service Vulnerability (CVE-2026-28224)","url":"https://feed.craftedsignal.io/briefs/2026-04-firebird-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-28224","version":"https://jsonfeed.org/version/1.1"}