DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33120: CVE-2026-33120: Remote Code Execution via Untrusted Pointer Dereference in Microsoft SQL Server

#security #cve #cybersecurity

CVE-2026-33120: Remote Code Execution via Untrusted Pointer Dereference in Microsoft SQL Server

Vulnerability ID: CVE-2026-33120
CVSS Score: 8.8
Published: 2026-04-14

Microsoft SQL Server 2022 contains an untrusted pointer dereference vulnerability (CWE-822) that permits an authenticated, low-privileged attacker to execute arbitrary code within the context of the SQL Server service. This network-exploitable flaw carries a CVSS score of 8.8 and is patched in the April 2026 Security Updates.

TL;DR

An untrusted pointer dereference in Microsoft SQL Server 2022 allows authorized, low-privileged attackers to achieve remote code execution via the network. Successful exploitation results in arbitrary code execution under the SQL Server service account context.

Technical Details

  • CWE ID: CWE-822
  • Attack Vector: Network (Authenticated)
  • CVSS v3.1: 8.8
  • EPSS Score: 0.00062
  • Impact: Remote Code Execution
  • Exploit Status: No Known Exploits
  • CISA KEV: Not Listed

Affected Systems

  • Microsoft SQL Server 2022 (GDR)
  • Microsoft SQL Server 2022 on Linux
  • Microsoft SQL Server 2022 on Windows
  • Microsoft SQL Server 2022 (GDR): 16.0.0 — < 16.0.1175.1 (Fixed in: 16.0.1175.1)
  • Microsoft SQL Server 2022 on Linux: < 16.0.1175.1 (Fixed in: 16.0.1175.1)
  • Microsoft SQL Server 2022 on Windows: < 16.0.1175.1 (Fixed in: 16.0.1175.1)

Mitigation Strategies

  • Apply official Microsoft Security Update KB5084815.
  • Implement network segmentation to restrict SQL Server access to authorized application endpoints.
  • Enforce strict principle of least privilege for all database users and service accounts.
  • Monitor database logs for anomalous T-SQL sequences and unexpected service restarts.

Remediation Steps:

  1. Identify all deployed instances of Microsoft SQL Server 2022 in the environment.
  2. Verify current build numbers against the affected version range (< 16.0.1175.1).
  3. Download security update KB5084815 from the Microsoft Update Catalog.
  4. Schedule emergency maintenance windows for production database servers.
  5. Apply the patch and verify the build number has updated to 16.0.1175.1 or later.
  6. Restart the SQL Server service to ensure the patched binaries are loaded into memory.

References

Read the full report for CVE-2026-33120 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)