Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33120

CVE-2026-33120: Microsoft SQL Server 2016 RCE Vulnerability

CVE-2026-33120 is a remote code execution vulnerability in Microsoft SQL Server 2016 caused by untrusted pointer dereference. Authorized attackers can exploit this flaw to execute code over a network. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Updated:

CVE-2026-33120 Overview

CVE-2026-33120 is an untrusted pointer dereference vulnerability [CWE-822] affecting multiple versions of Microsoft SQL Server. An authorized attacker can exploit this flaw over a network to execute arbitrary code within the SQL Server process context. The vulnerability impacts SQL Server 2016, 2017, 2019, 2022, and 2025 on x64 platforms. Successful exploitation requires low-privilege authenticated access but no user interaction, making it reachable through any account capable of issuing crafted queries or RPC requests to the database engine.

Critical Impact

Authenticated attackers can execute code on SQL Server instances over the network, compromising database confidentiality, integrity, and availability.

Affected Products

  • Microsoft SQL Server 2016 (x64)
  • Microsoft SQL Server 2017 (x64)
  • Microsoft SQL Server 2019 (x64)
  • Microsoft SQL Server 2022 (x64)
  • Microsoft SQL Server 2025 (x64)

Discovery Timeline

  • 2026-04-14 - CVE-2026-33120 published to NVD
  • 2026-05-06 - Last updated in NVD database

Technical Details for CVE-2026-33120

Vulnerability Analysis

The vulnerability is classified as an untrusted pointer dereference [CWE-822]. SQL Server dereferences a pointer whose value originates from untrusted input without validating that it references a legitimate memory location. When the engine processes the malformed request, it follows the attacker-controlled pointer and operates on memory the attacker influences. This condition can be steered into arbitrary code execution within the sqlservr.exe process, which typically runs with elevated service privileges. Because the attack vector is network-based and requires only low privileges, any authenticated database principal with query execution rights becomes a potential exploitation vector.

Root Cause

The root cause is improper validation of a pointer derived from attacker-supplied data within a SQL Server code path. Instead of treating the value as opaque input requiring bounds and origin checks, the affected component dereferences it directly. This pattern allows attackers to control the target of subsequent memory operations, leading to corruption or hijacked execution flow.

Attack Vector

Exploitation requires network reachability to the SQL Server endpoint (typically TCP 1433) and valid credentials with permission to execute queries or stored procedures. The attacker crafts a request containing data that triggers the vulnerable pointer dereference. No user interaction is required, and the EPSS score is 0.077% (22.9 percentile) at this time, reflecting that public exploitation tooling has not been observed.

No verified public proof-of-concept code is available. Refer to the Microsoft Security Update CVE-2026-33120 advisory for vendor technical details.

Detection Methods for CVE-2026-33120

Indicators of Compromise

  • Unexpected crashes, access violations, or restarts of the sqlservr.exe process recorded in the SQL Server error log or Windows Application event log.
  • Anomalous child processes spawned by sqlservr.exe, such as cmd.exe, powershell.exe, or rundll32.exe.
  • Outbound network connections originating from the SQL Server service to unfamiliar external hosts.

Detection Strategies

  • Audit SQL Server logins for low-privilege accounts issuing unusual query patterns, large binary parameters, or repeated malformed RPC calls.
  • Enable SQL Server extended events and Windows Error Reporting to capture stack traces consistent with pointer dereference faults.
  • Correlate authentication telemetry with process behavior to flag authenticated sessions that precede service instability.

Monitoring Recommendations

  • Forward SQL Server audit logs, Windows Security events, and process creation telemetry to a centralized analytics platform for correlation.
  • Alert on any process creation where sqlservr.exe is the parent, as the SQL Server service should rarely spawn interactive binaries.
  • Track patch state across all SQL Server instances and alert on unpatched hosts exposed to internal or external networks.

How to Mitigate CVE-2026-33120

Immediate Actions Required

  • Apply the Microsoft security update for CVE-2026-33120 to all affected SQL Server 2016, 2017, 2019, 2022, and 2025 instances.
  • Inventory database principals and remove or restrict accounts that do not require query execution privileges.
  • Restrict network access to SQL Server endpoints so that only authorized application servers and administrators can connect.

Patch Information

Microsoft has released security updates addressing CVE-2026-33120. Consult the Microsoft Security Update CVE-2026-33120 advisory for the specific cumulative update or GDR package matching each affected SQL Server build. Apply the update during a scheduled maintenance window and validate database functionality afterward.

Workarounds

  • Enforce the principle of least privilege so that application service accounts have only the permissions required for their workloads.
  • Place SQL Server instances behind firewalls or network security groups that restrict TCP 1433 and the SQL Browser service to trusted subnets.
  • Require strong authentication and disable SQL authentication where Windows or Entra ID integrated authentication is feasible.
bash
# Configuration example: restrict SQL Server network exposure with Windows Firewall
New-NetFirewallRule -DisplayName "Allow SQL Server from AppTier" `
  -Direction Inbound -Protocol TCP -LocalPort 1433 `
  -RemoteAddress 10.10.20.0/24 -Action Allow

New-NetFirewallRule -DisplayName "Block SQL Server from all others" `
  -Direction Inbound -Protocol TCP -LocalPort 1433 -Action Block

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne