SB2026061956 - SUSE update for firebird
Published: June 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 vulnerabilities.
1) Incorrect calculation (CVE-ID: CVE-2025-65104)
CWE-ID: CWE-682 - Incorrect Calculation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information and modify data.
The vulnerability exists due to improper data length handling in XSQLDA fields when processing responses from a Firebird 4 or higher server. A local user can use the firebird3 client with a newer server to disclose sensitive information and modify data.
The issue occurs when the firebird3 client is used with a Firebird 4 or higher server.
2) Out-of-bounds write (CVE-ID: CVE-2026-27890)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in CNCT_specific_data handling when processing out-of-order CNCT_specific_data sequence segments during authentication. A remote attacker can send specially crafted sequence segments to cause a denial of service.
The issue can be triggered before authentication and may cause a SIGSEGV in the server process.
3) NULL pointer dereference (CVE-ID: CVE-2026-28212)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a null pointer dereference in xdr_slice() when processing an op_slice packet. A remote attacker can send a specially crafted packet to cause a denial of service.
The issue is triggered when slice_response->p_slr_sdl is unprepared and contains a null pointer that is passed to SDL_info(), causing the server to crash with SIGSEGV.
4) Integer overflow (CVE-ID: CVE-2026-28214)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to an integer overflow in ClumpletReader::getClumpletSize() when parsing a batch parameter block clumplet during batch creation. A remote user can send a specially crafted batch parameter block to cause a denial of service.
Exploitation requires valid authentication and INSERT privilege on a table.
5) NULL pointer dereference (CVE-ID: CVE-2026-28224)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to null pointer dereference in port_server_crypt_callback handling when processing an unauthenticated op_crypt_key_callback request. A remote attacker can send a specially crafted request to cause a denial of service.
The request can be sent without authorization.
6) Buffer overflow (CVE-ID: CVE-2026-33337)
CWE-ID: CWE-120 - Buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a buffer overflow in xdr_datum() when parsing a corrupted slice packet. A remote attacker can send a specially crafted slice packet to cause a denial of service.
The issue occurs when a cstring length is not checked against the slice descriptor or the entire slice length before being written into a slice-sized buffer.
7) Input validation error (CVE-ID: CVE-2026-34232)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in xdr_status_vector() when parsing an op_response packet containing isc_arg_cstring in the status vector. A remote attacker can send a specially crafted packet to cause a denial of service.
The issue can crash the server while decoding a client-supplied op_response packet, even though such a request is later dropped in loopThread().
8) Input validation error (CVE-ID: CVE-2026-35215)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in sdl_desc() when processing a crafted slice packet. A remote attacker can send a specially crafted slice packet to cause a denial of service.
The issue results from a division by zero when the decoded SDL descriptor length is later used to calculate the number of items in the slice.
9) Path traversal (CVE-ID: CVE-2026-40342)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to path traversal in the external engine plugin loader when processing a CREATE FUNCTION statement with a crafted ENGINE name. A remote user can send a specially crafted SQL statement to execute arbitrary code.
The loaded library's initialization code runs immediately during loading, before Firebird verifies that the module is a valid plugin.
Remediation
Install update from vendor's website.