Microsoft has patched a critical remote code execution vulnerability in SQL Server that allows attackers to execute arbitrary code over the network by exploiting improper input validation in the database engine's query processor.
Microsoft Security Response Center has released an emergency patch for CVE-2026-20962, a critical remote code execution vulnerability affecting multiple versions of Microsoft SQL Server. The vulnerability carries a CVSS score of 9.8 and enables unauthenticated attackers to execute arbitrary code on affected systems through specially crafted SQL queries sent to the database engine.
Vulnerability Details
The vulnerability exists in the SQL Server Database Engine's query processor component. Specifically, it involves improper validation of user-supplied input during query parsing and optimization. Attackers can craft malicious SQL statements that trigger a buffer overflow condition in the query execution path.
When the vulnerable query processor encounters these malformed queries, it fails to properly validate the size and structure of input data before passing it to internal memory allocation functions. This allows heap-based buffer overflow attacks that can overwrite critical memory structures and eventually lead to arbitrary code execution with the privileges of the SQL Server service account.
Affected Products and Versions
Microsoft SQL Server 2019 (all editions prior to CU-28) Microsoft SQL Server 2017 (all editions prior to CU-31) Microsoft SQL Server 2016 (all editions prior to SP3-GDR) Microsoft SQL Server 2014 (all editions prior to SP3-GDR) Microsoft SQL Server 2012 (all editions prior to SP4-GDR)
The vulnerability does not affect SQL Server 2022 or later versions, as the query processor architecture was redesigned with additional input validation layers.
Attack Vector and Exploitation
Exploitation requires network access to the SQL Server instance. Attackers do not need valid database credentials. The attack can be performed by sending a single, specially crafted TDS (Tabular Data Stream) packet containing the malicious query to TCP port 1433 (default instance) or the custom port assigned to the SQL Server instance.
The vulnerability can be exploited remotely without user interaction. No preview pane, file open, or other user actions are required. This makes it particularly dangerous for internet-facing SQL Server instances or those accessible within compromised corporate networks.
Mitigation Steps
Immediate Actions
Apply the security update from Microsoft Security Update Guide. Download and install the appropriate cumulative update or security patch for your SQL Server version.
Block network access to SQL Server ports (typically 1433 TCP) from untrusted networks. Use firewalls to restrict access to only authorized application servers and management workstations.
Disable SQL Server Browser service if not required. This service can expose instance information to network enumeration.
Enable Windows Firewall on SQL Server hosts and configure rules to allow only necessary SQL Server traffic.
Long-term Hardening
- Implement network segmentation to isolate database servers from general network traffic
- Use SQL Server Authentication instead of Windows Authentication for external applications when possible
- Regularly review and audit SQL Server error logs for signs of exploitation attempts
- Consider implementing database firewalls or web application firewalls that can inspect SQL traffic patterns
Timeline
- Discovery: March 15, 2026 - Vulnerability identified during internal security review
- Report: March 18, 2026 - Reported to Microsoft Security Response Center
- Patch Development: March 20 - April 15, 2026 - Microsoft developed and tested security updates
- Public Disclosure: April 16, 2026 - Coordinated release of security patches and advisory
- Exploit Availability: April 17, 2026 - Proof-of-concept code published on GitHub
Detection and Monitoring
Monitor SQL Server error logs for entries containing:
- "Access violation" errors
- Unexpected query termination events
- Buffer pool allocation failures
Use Windows Event Log to track:
- Event ID 6005 (SQL Server service startup)
- Event ID 6008 (Unexpected SQL Server shutdown)
Network monitoring tools should alert on:
- Unusual TDS packet sizes
- Queries with malformed syntax patterns
- Repeated connection attempts from single IP addresses
Additional Resources
- Microsoft Security Update Guide
- SQL Server Security Best Practices
- Microsoft SQL Server Downloads
- SQL Server Network Configuration Documentation
Risk Assessment
Organizations running affected SQL Server versions should treat this as a critical priority vulnerability. The combination of remote exploitation, no authentication requirement, and potential for full system compromise creates severe risk. Internet-facing SQL Server instances require immediate patching. Internal instances should be patched within 48 hours of discovery.
The vulnerability's CVSS score of 9.8 reflects its network-based attack vector, low attack complexity, no privileges required, and high impact on confidentiality, integrity, and availability. This places it in the highest severity category for database vulnerabilities.
Comments
Please log in or register to join the discussion