Is CVE-2026-28224 actively exploited?

CVE-2026-28224 has no public evidence of in-the-wild exploitation as of 2026-04-24.

What is the CVSS score for CVE-2026-28224?

CVE-2026-28224 has a CVSS score of 8.2 (HIGH severity). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H.

How do I patch CVE-2026-28224?

Patch guidance is available from firebirdsql security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2026-28224.

Fix CVE-2026-28224 - HIGH firebirdsql firebird

Q: Which products are affected by CVE-2026-28224?

3 products: firebirdsql firebird, firebirdsql firebird, firebirdsql firebird.

Description

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives an op_crypt_key_callback packet without prior authentication, the port_server_crypt_callback handler is not initialized, resulting in a null pointer dereference and server crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: none
Integrity: low
Availability: high
Weaknesses: CWE-476 · NULL Pointer Dereference

Metadata

Primary Vendor: FIREBIRDSQL
Published: 4/17/2026
Last Modified: 4/24/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2026-28224

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary