Cve-2026-40342 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-40342/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 17 Apr 2026 20:16:35 +0000Firebird Path Traversal Vulnerability Leads to Code Execution (CVE-2026-40342)https://feed.craftedsignal.io/briefs/2026-04-firebird-path-traversal/Fri, 17 Apr 2026 20:16:35 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-firebird-path-traversal/An authenticated user with CREATE FUNCTION privileges can exploit a path traversal vulnerability in Firebird versions prior to 5.0.4, 4.0.7, and 3.0.14, to load an arbitrary shared library leading to code execution as the server's OS account.Firebird, an open-source relational database management system, is vulnerable to a path traversal flaw (CVE-2026-40342) in versions prior to 5.0.4, 4.0.7, and 3.0.14. This vulnerability resides within the external engine plugin loader. The loader concatenates a user-supplied engine name into a filesystem path without proper sanitization, leaving it open to path traversal attacks. An authenticated user with CREATE FUNCTION privileges can craft a malicious ENGINE name containing path separators and .. components. This allows them to load an arbitrary shared library from anywhere on the filesystem. The library’s initialization code executes immediately upon loading, before Firebird can validate the module, effectively granting code execution under the security context of the server’s operating system account. Upgrading to versions 5.0.4, 4.0.7, or 3.0.14 resolves this issue.

Attack Chain

  1. Attacker authenticates to the Firebird database server with an account possessing CREATE FUNCTION privileges.
  2. Attacker crafts a malicious ENGINE name that includes path traversal sequences (e.g., ../../../../).
  3. The attacker uses the crafted ENGINE name in a CREATE FUNCTION statement, specifying a path to an arbitrary shared library on the filesystem. For example, CREATE FUNCTION evil_func RETURNS INTEGER ENGINE '/path/to/evil/../../../../tmp/evil.so'.
  4. The Firebird server’s plugin loader concatenates the provided ENGINE name into a filesystem path without proper validation.
  5. The Firebird server attempts to load the shared library from the attacker-controlled path, effectively bypassing intended access controls.
  6. The operating system loads the shared library into the Firebird server’s process.
  7. The shared library’s initialization code executes immediately, granting the attacker arbitrary code execution within the context of the Firebird server process.
  8. The attacker gains control of the Firebird server’s OS account, potentially leading to data exfiltration, system compromise, or denial of service.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the Firebird server with the privileges of the operating system account running the Firebird service. This can lead to full system compromise, including data exfiltration, modification, or destruction. Given the high CVSS score of 9.9, this vulnerability poses a critical risk to organizations using vulnerable Firebird versions. The impact could range from complete database compromise to lateral movement within the network, depending on the privileges of the Firebird service account.

Recommendation

  • Upgrade Firebird servers to versions 5.0.4, 4.0.7, or 3.0.14 to patch CVE-2026-40342.
  • Monitor Firebird server logs for CREATE FUNCTION statements with suspicious ENGINE names containing path traversal sequences, and deploy the Sigma rule Detect Firebird Create Function Path Traversal to your SIEM.
  • Implement strict access controls to limit CREATE FUNCTION privileges to only authorized users, and enable audit logging on all Firebird database servers to monitor user activity.
]]>criticaladvisoryfirebirdpath-traversalcode-executioncve-2026-40342database