Microsoft has disclosed CVE-2026-20812, a critical remote code execution vulnerability affecting Microsoft SQL Server. This unauthenticated network-based attack requires immediate attention from database administrators and security teams.
Microsoft Security Response Center has assigned CVE-2026-20812 a CVSS base score of 9.8 (Critical), classifying it as an unauthenticated remote code execution vulnerability affecting Microsoft SQL Server versions 2016 through 2022. The vulnerability exists within the database engine's network protocol handler, allowing attackers to execute arbitrary code by sending specially crafted packets to TCP port 1433 without authentication.
Affected versions include SQL Server 2016 SP3, SQL Server 2017 CU31, SQL Server 2019 CU18, and SQL Server 2022 CU12. The vulnerability impacts both default instances and named instances when configured for remote connections. Systems with SQL Server Browser service running may be exposed to additional attack vectors through UDP port 1434.
Attack complexity is low. No user interaction is required. The attack vector is network-based. Exploitation requires only that the SQL Server instance accept remote connections. This vulnerability is wormable between vulnerable systems. No public exploit code exists yet, but Microsoft assesses exploitability as high confidence.
The vulnerability stems from improper validation of length fields in the Tabular Data Stream (TDS) protocol packet headers. When the SQL Server network interface processes incoming TDS packets, insufficient bounds checking allows stack-based buffer overflow conditions. This can lead to arbitrary code execution in the context of the SQL Server service account, typically NT SERVICE\MSSQLSERVER with high privileges.
Exploitation does not require valid login credentials. The vulnerability can be triggered before authentication occurs during the initial connection handshake. This places it in the same category as historical vulnerabilities like SQL Slammer, though the specific mechanism differs. The attack surface includes any SQL Server instance accessible from untrusted networks, including cloud-hosted instances and on-premises deployments behind insufficiently restrictive firewalls.
Microsoft has released security patches as part of the February 2024 Security Update cycle. Administrators must apply the following updates:
- SQL Server 2016 SP3: KB5034493
- SQL Server 2017: KB5034494
- SQL Server 2019: KB5034495
- SQL Server 2022: KB5034496
Patch deployment requires service restart. Plan maintenance windows accordingly. The updates modify the TDS protocol parser to validate packet length fields against buffer sizes before processing. This eliminates the overflow condition.
Immediate mitigation steps for systems where patching must be delayed:
Block TCP port 1433 at network perimeter firewalls. This prevents external attackers from reaching vulnerable SQL Server instances.
Disable SQL Server Browser service (UDP 1434) if not required for your environment. This service is not needed for most single-instance deployments.
Configure Windows Firewall on SQL Server hosts to restrict access to TCP 1433 to only authorized IP addresses or network segments.
Enable SQL Server connection encryption using TLS 1.2 or higher. While not a complete mitigation, encrypted connections may interfere with some exploit attempts.
Consider disabling remote connections entirely for non-production systems or those not requiring network access.
For cloud-hosted Azure SQL Database and Azure SQL Managed Instance, Microsoft has deployed server-side mitigations. No customer action is required for these services. However, Azure SQL VM customers must apply the OS-level patches.
Post-patch verification should include:
- Confirming SQL Server version matches patched release
- Reviewing SQL Server error logs for exploitation attempts (look for access violations or unexpected shutdowns)
- Monitoring network traffic for unusual connection patterns to TCP 1433
- Checking system event logs for SQL Server service restarts
This vulnerability shares characteristics with the 2003 SQL Slammer worm and the 2019 CVE-2019-0683 SQL Server vulnerability. The pattern of unauthenticated network attacks against database protocols remains a persistent threat vector. Organizations should review their database exposure and implement defense-in-depth strategies including network segmentation, least-privilege service accounts, and regular security updates.
Database administrators should prioritize this patch across all production SQL Server instances. The combination of unauthenticated access, network-based exploitation, and wormable potential makes this one of the most critical SQL Server vulnerabilities in recent years. Test patches in non-production environments first, then deploy to production systems with appropriate rollback plans.
For additional technical details and ongoing updates, refer to the Microsoft Security Response Center advisory and the SQL Server security updates documentation.
Comments
Please log in or register to join the discussion