CVE-2024-29984 Overview
CVE-2024-29984 is a remote code execution vulnerability in the Microsoft OLE DB Driver for SQL Server. The flaw is classified under [CWE-122] as a heap-based buffer overflow. An attacker who tricks a user into connecting to a malicious SQL Server instance can execute arbitrary code in the context of the client process. Microsoft rates the issue with a CVSS 3.1 base score of 8.8 and confirms impact across the OLE DB Driver, SQL Server 2019, and SQL Server 2022 on x64 platforms. Successful exploitation compromises the confidentiality, integrity, and availability of the targeted client host.
Critical Impact
A malicious SQL Server can trigger a heap overflow in the OLE DB Driver, leading to remote code execution on connecting clients.
Affected Products
- Microsoft OLE DB Driver for SQL Server
- Microsoft SQL Server 2019 (x64)
- Microsoft SQL Server 2022 (x64)
Discovery Timeline
- 2024-04-09 - CVE-2024-29984 published to NVD by Microsoft
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-29984
Vulnerability Analysis
The vulnerability resides in the Microsoft OLE DB Driver for SQL Server, a client-side data access component used by applications to communicate with SQL Server. The driver mishandles data returned from a SQL Server during response parsing. When the client processes a crafted server response, a heap-based buffer overflow occurs in memory owned by the client process. Exploitation requires user interaction: a user must be induced to connect a vulnerable client to an attacker-controlled SQL Server instance. Because the driver runs in the calling application's process, code execution inherits the privileges of that application, which may include service accounts used by middleware, reporting tools, or backup utilities.
Root Cause
The root cause is improper validation of size or bounds when the driver parses server-supplied Tabular Data Stream (TDS) response fields into heap-allocated buffers. Attacker-controlled length or type metadata leads to an out-of-bounds write on the heap, corresponding to [CWE-122]. Microsoft has not published parser internals, but the CWE mapping and CVSS vector confirm memory corruption reachable over the network with user interaction.
Attack Vector
Exploitation requires the attacker to operate or impersonate a SQL Server endpoint and to convince a user or automated process to initiate a connection. Common lures include shared connection strings, malicious .udl or .odc files, phishing links that invoke database tooling, or DNS and network redirection that routes existing clients to the rogue server. Once the client authenticates or negotiates the session, the crafted response corrupts the heap and diverts execution.
No public proof-of-concept, exploit code, or CISA KEV listing is currently associated with this CVE. See the Microsoft CVE-2024-29984 Advisory for technical details.
Detection Methods for CVE-2024-29984
Indicators of Compromise
- Outbound TDS traffic on TCP 1433 or dynamic SQL ports to unexpected external or newly registered hosts.
- Unexpected crashes of processes loading msoledbsql.dll or msoledbsql19.dll, including Excel, SSMS, SSIS, and custom line-of-business applications.
- Creation of child processes such as cmd.exe or powershell.exe under a parent that hosts the OLE DB Driver.
- DNS resolutions or connection strings referencing SQL Server hostnames not present in the asset inventory.
Detection Strategies
- Hunt for modules msoledbsql*.dll loaded by processes that then spawn shell or scripting interpreters.
- Correlate Windows Error Reporting or application crash events with prior outbound SQL sessions from the same process.
- Alert on user-launched database client processes initiating TDS connections to hosts outside sanctioned database subnets.
Monitoring Recommendations
- Inventory endpoints with the OLE DB Driver installed and monitor the file version of msoledbsql.dll for compliance with the patched release.
- Log outbound SQL Server connections at the firewall and match against an allowlist of approved database servers.
- Enable command-line and module-load telemetry on workstations that host BI, ETL, or reporting tools.
How to Mitigate CVE-2024-29984
Immediate Actions Required
- Apply the Microsoft security update for the OLE DB Driver for SQL Server on every workstation, server, and build agent that connects to SQL Server.
- Update SQL Server 2019 and SQL Server 2022 x64 installations to versions listed in the Microsoft advisory, since these ship the affected driver.
- Restrict outbound TCP 1433 and named-instance broker traffic from user workstations to only approved internal database servers.
- Educate users to reject prompts that request connections to unknown SQL Server hostnames or that open unfamiliar .udl files.
Patch Information
Microsoft released fixed versions of the OLE DB Driver for SQL Server and cumulative updates for SQL Server 2019 and 2022. Refer to the Microsoft CVE-2024-29984 Advisory for the specific driver build numbers and SQL Server cumulative update identifiers that address the heap overflow.
Workarounds
- Block egress to untrusted SQL Server endpoints at perimeter and host firewalls until patching is complete.
- Remove or disable the OLE DB Driver on endpoints that do not require SQL Server connectivity.
- Enforce use of vetted connection strings distributed through configuration management rather than user-supplied values.
# Configuration example: block outbound SQL Server traffic except to approved hosts
New-NetFirewallRule -DisplayName "Block-Outbound-TDS" `
-Direction Outbound -Action Block -Protocol TCP -RemotePort 1433
New-NetFirewallRule -DisplayName "Allow-Approved-SQL" `
-Direction Outbound -Action Allow -Protocol TCP -RemotePort 1433 `
-RemoteAddress 10.10.20.0/24
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

