Yesterday was Patch Tuesday, and this month we've got a good one. CVE-2026-21262 was already publicly disclosed before Microsoft shipped the fix - and it lets an authenticated SQL Server user escalate straight to sysadmin. SQL Server 2016 through 2025, Windows and Linux. No physical access required. No user interaction required. Just a valid login and a network path to your instance. Go patch!
If you're a SQL Server DBA or consultant and you're reading this before patching, stop reading and go patch.
What's the Vulnerability?
CVE-2026-21262 is an elevation of privilege flaw rooted in improper access control (CWE-284) within SQL Server. CVSS score: 8.8 (High). The attack vector is network-based, complexity is low, and it requires only low-level privileges to initiate. No user interaction needed.
Translation: someone with a regular SQL login can walk out as sysadmin. Sysadmin owns the instance. That's your data, your jobs, your linked servers, your service accounts, your everything.
The vulnerability was publicly disclosed before patches shipped. That means the clock started ticking before Microsoft's fix was even available. Exploitation hasn't been confirmed in the wild as of this writing, but 'publicly disclosed' is not a reason to relax — it's a reason to focus.
Two additional elevation of privilege CVEs rode in on the same Patch Tuesday: CVE-2026-26115 and CVE-2026-26116. All three are addressed by the same security updates.
Who's Affected?
Every currently supported SQL Server version — Windows and Linux both. Here's your patch reference:
| Version | Track | KB | Build |
|---|---|---|---|
| SQL Server 2016 SP3 | GDR | KB5077474 | 13.0.6480.4 |
| SQL Server 2017 | GDR | KB5077472 | 14.0.2100.4 |
| SQL Server 2017 | CU31 | KB5077471 | 14.0.3520.4 |
| SQL Server 2019 | GDR | KB5077470 | 15.0.2160.4 |
| SQL Server 2022 | GDR | KB5077465 | 16.0.1170.5 |
| SQL Server 2025 | GDR | KB5077468 | 17.0.1105.2 |
| SQL Server 2025 | CU2 | KB5077466 | 17.0.4020.2 |
Not sure which track you're on? Run this:
SELECT
SERVERPROPERTY('ProductVersion') AS ProductVersion,
SERVERPROPERTY('ProductLevel') AS ProductLevel,
SERVERPROPERTY('ProductUpdateLevel') AS CULevel,
SERVERPROPERTY('Edition') AS Edition;
If your build number is below the target for your version, you need the patch. Match your current build to the table above to confirm which KB applies. GDR track gets the GDR KB; CU track gets the CU KB.
What Else Is in These Updates?
Beyond the CVE fix, the March security updates include a couple of hardening changes worth knowing about. One blocks the ALTER USER operation when the target login is the system Administrator account. Another fixes an elevation of privilege issue in the version upgrade process for merge replication. SQL Server 2025 also gets removal of an internal system stored procedure that carried a potential SQL injection risk — separate from CVE-2026-21262, but cleaned up in the same package.
While You're At It
Patching fixes the vulnerability. It doesn't fix whatever may have already happened. After you apply the update, it's worth a quick sanity check on your SQL logins and role memberships:
-- Who's sysadmin right now?
SELECT
l.name,
l.type_desc,
l.is_disabled,
l.create_date,
l.modify_date
FROM sys.server_principals l INNER JOIN sys.server_role_members rm
ON l.principal_id = rm.member_principal_id INNER JOIN sys.server_principals r
ON rm.role_principal_id = r.principal_id
WHERE r.name = 'sysadmin'
ORDER BY l.name;
If anything in that list surprises you, you should investigate before you assume it's fine.
References
CVE-2026-21262 - Microsoft Security Response Center
KB5077474 - SQL Server 2016 SP3 GDR
KB5077472 - SQL Server 2017 GDR
KB5077471 - SQL Server 2017 CU31
KB5077470 - SQL Server 2019 GDR
KB5077465 - SQL Server 2022 GDR
KB5077468 - SQL Server 2025 GDR
KB5077466 - SQL Server 2025 CU2
No comments:
Post a Comment