CVE-2024-26161 Overview
CVE-2024-26161 is a remote code execution vulnerability in the Microsoft Windows Data Access Components (WDAC) OLE DB provider for SQL Server. The flaw is classified as a heap-based buffer overflow [CWE-122] and affects a broad range of Windows client and server releases. An unauthenticated attacker can execute arbitrary code in the context of the user who initiates a connection to a malicious SQL Server. Exploitation requires user interaction, typically convincing the target to connect to an attacker-controlled database endpoint. Microsoft published the advisory on March 12, 2024 and rates the issue 8.8 on the CVSS v3.1 scale.
Critical Impact
Successful exploitation grants arbitrary code execution on the victim host with full confidentiality, integrity, and availability impact across all supported Windows desktop and server platforms.
Affected Products
- Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (21H2, 22H2, 23H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, and Server 2022 23H2
Discovery Timeline
- 2024-03-12 - CVE-2024-26161 published to NVD and Microsoft releases security update
- 2024-12-05 - Last updated in NVD database
Technical Details for CVE-2024-26161
Vulnerability Analysis
The vulnerability resides in the WDAC OLE DB provider for SQL Server (msoledbsql/sqloledb), the client-side library used by Windows applications to communicate with SQL Server endpoints over the Tabular Data Stream (TDS) protocol. The provider mishandles memory allocations when parsing server-supplied response data, producing a heap-based buffer overflow on the client. The EPSS score is 1.471% with a percentile of 81.259, indicating elevated exploitation likelihood relative to most CVEs. Because the corruption occurs in client code, the attacker must own or control the SQL Server the victim connects to. Once the victim initiates the connection, malformed responses overflow internal buffers, allowing the attacker to corrupt heap structures and redirect execution.
Root Cause
The defect is an improper bounds check during processing of attacker-controlled fields in TDS response packets. The provider writes beyond the allocated heap region [CWE-122], overwriting adjacent metadata or function pointers and enabling control-flow hijack.
Attack Vector
The attack vector is network-based but requires user interaction. An attacker hosts a malicious SQL Server and lures a victim, often through a crafted connection string, ODBC data source, Excel workbook, Power Query, or linked server reference, to connect. The crafted server then returns malformed TDS data that triggers the overflow inside the OLE DB provider running in the user's process. Verified public proof-of-concept code is not available for this CVE. See the Microsoft Security Update Guide for CVE-2024-26161 for vendor technical details.
Detection Methods for CVE-2024-26161
Indicators of Compromise
- Outbound TCP connections to untrusted hosts on port 1433 or other custom SQL Server ports originating from end-user workstations.
- Unexpected loading of msoledbsql.dll, sqloledb.dll, or oledb32.dll inside Office, browser, or scripting host processes.
- Crash dumps in Windows Error Reporting referencing the OLE DB provider with access violations in heap routines.
- Child processes such as cmd.exe, powershell.exe, or rundll32.exe spawning from Office applications shortly after a database query action.
Detection Strategies
- Hunt for processes loading the WDAC OLE DB DLLs while also creating remote network sessions to non-corporate IP ranges.
- Correlate .udl, .odc, .iqy, or .dqy file opens with subsequent outbound SQL Server connections from user endpoints.
- Alert on TDS traffic egressing the perimeter to public IP addresses, which is uncommon in most enterprise environments.
Monitoring Recommendations
- Enable Sysmon Event ID 7 (image loaded) and Event ID 3 (network connect) for the OLE DB provider DLLs and forward to your SIEM.
- Track Windows patch compliance for the March 2024 security rollup across all Windows 10, 11, and Server SKUs.
- Baseline which business applications legitimately use OLE DB so anomalous loaders surface quickly.
How to Mitigate CVE-2024-26161
Immediate Actions Required
- Apply the March 2024 Microsoft security updates referenced in the MSRC advisory for CVE-2024-26161 to all affected Windows builds.
- Prioritize patching workstations used by database administrators, analysts, and developers who routinely connect to SQL Server.
- Block outbound TCP/1433 and other database ports at the perimeter except to sanctioned internal database servers.
- Restrict execution of Office macros and external data connections through Group Policy or Microsoft 365 Apps administrative templates.
Patch Information
Microsoft released the fix on March 12, 2024 as part of the monthly cumulative update for each supported Windows release. Administrators should consult the Microsoft Security Update Guide for CVE-2024-26161 for the KB article and package identifier matching each operating system version.
Workarounds
- Enforce egress filtering so endpoints can only reach trusted internal SQL Server hosts, preventing connections to attacker-controlled servers.
- Disable or restrict external data import features in Excel and Power Query for users who do not require them.
- Remove the OLE DB provider on systems that have no legitimate need for SQL Server client connectivity.
# Verify Windows build and installed updates after applying the March 2024 rollup
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
wmic qfe list brief /format:table
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
