This week's Patch Tuesday landed three new SQL Server CVEs. Two are elevation-of-privilege bugs — familiar territory, we had three of those last month. The third one is different. CVE-2026-33120 is a remote code execution flaw in SQL Server 2022. CVSS 8.8. An authenticated, low-privileged login on the network can execute arbitrary code on your SQL Server.
Go. Patch. Now.
CVE-2026-33120 — The RCE
The short version:
| Metric | Value |
|---|---|
| CVSS 3.1 base | 8.8 (High) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Exploit Maturity | Unproven |
| CWE | CWE-822 (Untrusted Pointer Dereference) |
| Affected | SQL Server 2022, build < 16.0.1175.1 |
Microsoft's one-line description: "Untrusted pointer dereference in SQL Server allows an authorized attacker to execute code over a network."
In plain terms: the engine is taking a value supplied by a client session and treating it as a memory address — then reading or writing whatever is at that address without checking that it belongs to legitimate session memory. The attacker chooses the address. Whatever is there gets read or written. With the right alignment, that is code execution under the SQL Server service account context.
The gate is a valid login. That's it. No sysadmin. No db_owner. No user interaction. Just a network path and authentication.
If your 2022 instances have SQL Auth enabled, weak service-account passwords, or stale logins hanging around from old applications -- that is your attack surface. And if you read my post on the Larva-26002 BCP malware campaign, you already know what the front half of the attack chain looks like.
CISA's ADP scoring currently lists exploitation as 'none' and automation as 'no.' That window will close. Patch before it does.
The Two EoPs Riding Along
Both affect every currently supported version — 2016 SP3, 2017, 2019, 2022, 2025.
CVE-2026-32167 — SQL injection inside internal system procedures (CWE-89). SQL Server itself is constructing dynamic SQL in some of its own elevated routines without fully neutralizing special characters in the inputs. An attacker who already holds high database privileges can invoke the vulnerable procedure, inject T-SQL, and escalate from high-priv database user to sysadmin. CVSS is the lower end of High because the prerequisite is already an insider or a previously compromised account. The impact if they get there is total.
CVE-2026-32176 — elevation of privilege in the SQL Server engine. The accompanying KB describes bug reference 5029960 — a linked-server fix riding under this CVE — as allowing "a low-privileged SQL Server user to gain sysadmin permissions." Fix Area: SQL Server Engine. Component: PolyBase.
If you run linked servers — and we all run linked servers — this one is not optional.
The Patches
All three CVEs are addressed in the April 14, 2026 Patch Tuesday updates. The RCE (33120) is called out specifically in the SQL Server 2022 GDR KB. The two EoPs span 2016 through 2025.
| Version | Track | KB | Build |
|---|---|---|---|
| SQL Server 2016 SP3 | GDR | KB5084821 | 13.0.6485.1 |
| SQL Server 2017 | CU31 | KB5084818 | 14.0.3525.1 |
| SQL Server 2019 | CU32 | KB5084816 | 15.0.4465.1 |
| SQL Server 2022 | GDR | KB5084815 | 16.0.1175.1 |
| SQL Server 2022 | CU24 | KB5083252 | 16.0.4250.1 |
| SQL Server 2025 | CU3 | KB5083245 | 17.0.4030.1 |
GDR track gets the GDR KB. CU track gets the CU KB. Don't switch tracks by accident. It is painful to undo.
One more thing. SQL Server 2016 hits end of support on July 14, 2026. These may be among the last CVEs it receives a patch for. If you are still running it, the clock is ticking very loudly now.
Check Your Build
SELECT SERVERPROPERTY('ProductVersion') AS ProductVersion,
SERVERPROPERTY('ProductLevel') AS ProductLevel,
SERVERPROPERTY('ProductUpdateLevel') AS CULevel,
SERVERPROPERTY('Edition') AS Edition;
Match your build to the table above. If you are below the target for your version and track, you NEED the patch.
More to Read:
CVE-2026-33120 — Microsoft SQL Server Remote Code Execution Vulnerability
CVE-2026-32167 — SQL Server Elevation of Privilege Vulnerability
CVE-2026-32176 — SQL Server Elevation of Privilege Vulnerability
sqlfingers: Patch Tuesday: Your sysadmin Role Was Up for Grabs (March)
sqlfingers: SQL Server 2016: 111 Days. The Last Patch Just Dropped.
No comments:
Post a Comment