Skip to main content

Suse EUVDEUVD-2026-23496

| CVE-2026-40342 CRITICAL
Path Traversal (CWE-22)
2026-04-17 GitHub_M
9.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Patch released
Apr 27, 2026 - 14:28 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Apr 17, 2026 - 20:22 NVD
10.0 (CRITICAL) 9.9 (CRITICAL)
Patch available
Apr 17, 2026 - 20:16 EUVD
Analysis Generated
Apr 17, 2026 - 20:07 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 19:45 euvd
EUVD-2026-23496
Analysis Generated
Apr 17, 2026 - 19:45 vuln.today
CVE Published
Apr 17, 2026 - 19:22 nvd
CRITICAL 9.9

DescriptionGitHub Advisory

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes immediately during loading, before Firebird validates the module, achieving code execution as the server's OS account. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.

AnalysisAI

Remote code execution in Firebird RDBMS versions prior to 5.0.4, 4.0.7, and 3.0.14 allows authenticated users with CREATE FUNCTION privileges to execute arbitrary code as the database server process through path traversal in the external engine plugin loader. The vulnerability stems from insufficient input validation (CWE-22) when concatenating user-supplied engine names into filesystem paths, enabling attackers to load malicious shared libraries from arbitrary locations. With CVSS 10.0 and scope change (S:C), successful exploitation grants full system compromise beyond database boundaries. EPSS data not provided, no CISA KEV listing identified, indicating targeted rather than widespread exploitation at time of analysis. Vendor-released patches available across all affected major versions.

Technical ContextAI

Firebird's external engine plugin architecture allows database functions to invoke code from dynamically loaded shared libraries (.so/.dll files). The plugin loader accepts user-controlled ENGINE parameter values during CREATE FUNCTION statements and constructs filesystem paths by string concatenation without proper sanitization. Path traversal vulnerability (CWE-22) occurs because the loader fails to strip directory separators (../, ../../) or validate that the resulting path stays within intended plugin directories. When loading the attacker-specified library, the operating system executes initialization routines (_init sections, DllMain, or constructor functions) before Firebird performs module validation, creating a pre-validation code execution window. The affected CPE (cpe:2.3:a:firebirdsql:firebird) covers all deployment modes of Firebird RDBMS. The scope change metric (S:C) reflects that library code executes with the server's OS privileges, breaking out of the database's security context to impact the underlying system.

RemediationAI

Upgrade immediately to Firebird 5.0.4 (https://github.com/FirebirdSQL/firebird/releases/tag/v5.0.4), 4.0.7 (https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.7), or 3.0.14 (https://github.com/FirebirdSQL/firebird/releases/tag/v3.0.14) depending on your major version branch. These releases include input validation fixes that sanitize ENGINE parameter values and restrict plugin loading to designated directories. If immediate patching is not feasible, implement defense-in-depth controls: revoke CREATE FUNCTION privileges from all non-administrative accounts through GRANT/REVOKE commands, restricting this capability to a minimal set of trusted DBAs (note: this breaks applications that dynamically create UDFs and requires code changes). Configure firewall rules or network segmentation to block direct network access to Firebird ports (default 3050/tcp) from untrusted networks, forcing access through application tiers that do not expose CREATE FUNCTION capabilities (trade-off: does not mitigate insider threats or compromised application accounts). Enable Firebird's audit logging to monitor CREATE FUNCTION statements for anomalous ENGINE values containing path traversal patterns. No workaround fully mitigates the vulnerability without patching.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.3 Fixed

Share

EUVD-2026-23496 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy