Microsoft's January 2026 Patch Tuesday included a security fix for SQL Server: CVE-2026-20803, an elevation of privilege vulnerability with CVSS score 7.2 (Important).
The vulnerability is classified as CWE-306: Missing Authentication for Critical Function. An attacker who already has high-level privileges on the SQL Server instance could exploit this flaw to escalate further — gaining debugging privileges, dumping system memory, and potentially extracting sensitive data or credentials.
The Details
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-20803 |
| Severity | Important (CVSS 7.2) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | High |
| User Interaction | None |
| Impact | High (Confidentiality, Integrity, Availability) |
| Exploitability | Exploitation Less Likely |
The CVSS vector is: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
What Does This Mean in Practice?
This is not a random attacker on the internet vulnerability. The attacker needs high-level privileges — a compromised service account, an insider threat, or lateral movement from an already-breached system, among others.
Once exploited, the attacker could gain debugging access and dump memory — which could expose connection strings, credentials, decrypted data in memory, and other sensitive information that shouldn't be accessible even to privileged users.
The 'Exploitation Less Likely' rating means Microsoft hasn't seen active exploitation and doesn't expect it to be trivially weaponized. But 'less likely' is not 'impossible'.
Which Versions Are Affected?
SQL Server 2022 and SQL Server 2025 are affected. Microsoft has released patches through both the GDR (security-only) and CU (cumulative update) tracks.
| Version | Update Track | KB | Patched Build |
|---|---|---|---|
| SQL Server 2025 | GDR | KB5073177 | 17.0.1050.2 |
| SQL Server 2022 | CU22 + GDR | KB5072936 | 16.0.4230.2 |
| SQL Server 2022 | GDR | KB5073031 | 16.0.1165.1 |
GDR vs. CU: Which Patch Do I Need?
If you're not familiar with Microsoft's SQL Server servicing model:
- GDR (General Distribution Release) — Security fixes only. Minimal changes. Use this if you're on a baseline RTM build and want to stay conservative.
- CU (Cumulative Update) — Security fixes plus all other bug fixes and improvements. Use this if you're already on the CU train.
Check your current build in comparison to the table above and review the KB articles for the correct patch:
SELECT @@VERSION;
How to Patch
Download the appropriate update from the links above or from the Microsoft Update Catalog.
Before patching:
- Back up your databases
- Test in a non-production environment first
- Schedule a maintenance window — the SQL Server service will restart
After patching, verify the new build number:
SELECT
SERVERPROPERTY('ProductVersion') AS ProductVersion,
SERVERPROPERTY('ProductLevel') AS ProductLevel,
SERVERPROPERTY('Edition') AS Edition;
Should You Panic?
No. The attack requires high privileges to begin with, and there's no evidence of active exploitation. But 'exploitation less likely' is not the same as 'never going to happen'.
Patch during your next maintenance window. Don't wait six months.
If your SQL Server instances are exposed to the internet or if you have concerns about insider threats or compromised service accounts, you may wish to prioritize this patch.
A Note on Timing
This security patch (released January 13) is separate from CU23 for SQL Server 2022 and CU1 for SQL Server 2025 (both released January 15). Those cumulative updates have their own problems — specifically, a Database Mail bug that broke alerting.
The security patches (KB5073177, KB5072936, KB5073031) do not have the Database Mail bug. If you need to patch for CVE-2026-20803 but can't risk breaking Database Mail, use the GDR security update rather than the CU.
More to Read:
Microsoft Security Response Center: CVE-2026-20803
KB5073177: Security Update for SQL Server 2025 GDR
KB5073031: Security Update for SQL Server 2022 GDR
KB5072936: Security Update for SQL Server 2022 CU22+GDR
No comments:
Post a Comment