CVE-2026-21262: CVE-2026-21262: Elevation of Privilege via Improper Access Control in Microsoft SQL Server

CVE-2026-21262: Elevation of Privilege via Improper Access Control in Microsoft SQL Server

Vulnerability ID: CVE-2026-21262
CVSS Score: 8.8
Published: 2026-03-10

CVE-2026-21262 is a high-severity Elevation of Privilege (EoP) vulnerability affecting Microsoft SQL Server versions 2016 through 2025. It allows an authenticated, low-privileged attacker to escalate their permissions to the sysadmin role over a network connection. The flaw stems from improper access control in the SQL Server network layer protocol implementation, enabling attackers to take complete control of the database instance.

TL;DR

Authenticated, low-privilege network attackers can exploit a logic error in SQL Server's TDS protocol layer to escalate privileges to sysadmin, affecting SQL Server versions 2016-2025.

---

Technical Details

• Vulnerability Class: Elevation of Privilege (EoP)
• CWE ID: CWE-284: Improper Access Control
• CVSS v3.1 Score: 8.8 (High)
• Attack Vector: Network
• Privileges Required: Low
• Exploit Status: Unweaponized / Proof-of-Concept unavailable
• EPSS Score: 0.00081 (0.08%)
• CISA KEV: Not Listed

Affected Systems

• Microsoft SQL Server 2016
• Microsoft SQL Server 2017
• Microsoft SQL Server 2019
• Microsoft SQL Server 2022
• Microsoft SQL Server 2025
• SQL Server 2016 SP3 (GDR): 13.0.0 < 13.0.6480.4 (Fixed in: 13.0.6480.4)
• SQL Server 2016 SP3 (Azure Connect): 13.0.0 < 13.0.7075.5 (Fixed in: 13.0.7075.5)
• SQL Server 2017 (CU 31): 14.0.0 < 14.0.3520.4 (Fixed in: 14.0.3520.4)
• SQL Server 2017 (GDR): 14.0.0 < 14.0.2100.4 (Fixed in: 14.0.2100.4)
• SQL Server 2019 (CU 32): 15.0.0.0 < 15.0.4460.4 (Fixed in: 15.0.4460.4)
• SQL Server 2019 (GDR): 15.0.0 < 15.0.2160.4 (Fixed in: 15.0.2160.4)
• SQL Server 2022 (GDR): 16.0.0 < 16.0.1170.5 (Fixed in: 16.0.1170.5)
• SQL Server 2022 (CU 23): 16.0.0.0 < 16.0.4240.4 (Fixed in: 16.0.4240.4)
• SQL Server 2025 (CU 2): 17.0.0.0 < 17.0.4020.2 (Fixed in: 17.0.4020.2)
• SQL Server 2025 (GDR): 17.0.1050.2 < 17.0.1105.2 (Fixed in: 17.0.1105.2)

Mitigation Strategies

• Apply the official Microsoft GDR or CU patches provided in the March 2026 Patch Tuesday release.
• Implement strict network segmentation to restrict access to SQL Server ports (e.g., TCP 1433) to trusted IPs only.
• Disable the xp_cmdshell extended stored procedure to prevent OS-level command execution.
• Enforce the principle of least privilege for all SQL Server logins and database users.

Remediation Steps:

1. Inventory all Microsoft SQL Server instances across the organization to determine major versions and build numbers.
2. Review the MSRC advisory for CVE-2026-21262 to identify the specific GDR or CU required for each instance.
3. Download the appropriate updates from the Microsoft Update Catalog.
4. Schedule emergency maintenance windows for production database servers.
5. Apply the updates to development and staging environments first to verify application compatibility.
6. Deploy the updates to production servers and verify the @@version string matches the patched build number.
7. Review SQL Server audit logs for any unauthorized role modifications or anomalous activity prior to patching.

References

• MSRC Advisory - CVE-2026-21262
• Tenable Blog - March 2026 Patch Tuesday
• Krebs on Security - March 2026 Edition
• Talos Intelligence - Microsoft Patch Tuesday March 2026
• Rapid7 Analysis - March 2026

---

Read the full report for CVE-2026-21262 on our website for more details including interactive diagrams and full exploit analysis.