CVE-2026-24320 - Vulnerability Details

- Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP)

Description

Due to improper memory management in SAP NetWeaver and ABAP Platform (Application Server ABAP), an authenticated attacker could exploit logical errors in memory management by supplying specially crafted input containing unique characters, which are improperly converted. This may result in memory corruption and the potential leakage of memory content. Successful exploitation of this vulnerability would have a low impact on the confidentiality of the application, with no effect on its integrity or availability.

Published: 2026-02-10

Score: 3.1 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Improper memory management in SAP NetWeaver and ABAP Platform (Application Server ABAP) allows an authenticated attacker to supply specially crafted input containing unique characters that are improperly converted. This flaw leads to memory corruption and the possible leakage of memory content, yielding a low impact on confidentiality while not affecting integrity or availability.

Affected Systems

The vulnerability affects SAP NetWeaver and ABAP Platform (Application Server ABAP) across multiple kernel versions, including 7.22, 7.54, 7.77, 7.89, 7.93, 9.16, 9.17, 9.18, as well as 64‑bit kernel variants of 7.22.

Risk and Exploitability

The CVSS vector assigns a score of 3.1, indicating low overall severity, and the EPSS score is reported as less than 1%, meaning exploitation probability is very low at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated session to the application, where the attacker can execute specially crafted requests to trigger logical memory errors. The weakness corresponds to CWE‑113 and CWE‑787, emphasizing improper input handling and potential buffer overflows.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SAP_SE

SAP NetWeaver and ABAP Platform (Application Server ABAP)

unaffected

Version	Status	Constraints
`KRNL64NUC 7.22`	affected	—
`7.22EXT`	affected	—
`KRNL64UC 7.22`	affected	—
`7.53`	affected	—
`8.04`	affected	—
`KERNEL 7.22`	affected	—
`7.54`	affected	—
`7.77`	affected	—
`7.89`	affected	—
`7.93`	affected	—
`9.16`	affected	—
`9.17`	affected	—
`9.18`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:sap:netweaver_as_abap_kernel:7.22:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:7.54:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:7.77:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:7.89:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:7.93:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:9.16:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:9.17:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:9.18:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.22:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.22ext:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.22:::::::*

No data.

Vendor Product Confidence Versions

Sap Se

Sap Netweaver And Abap Platform (application Server Abap)

—

Version	Status	Scheme	Platform
`KRNL64NUC 7.22`	affected	generic	—
`7.22EXT`	affected	generic	—
`KRNL64UC 7.22`	affected	generic	—
`7.53`	affected	generic	—
`8.04`	affected	generic	—
`KERNEL 7.22`	affected	generic	—
`7.54`	affected	generic	—
`7.77`	affected	generic	—
`7.89`	affected	generic	—
`7.93`	affected	generic	—
`9.16`	affected	generic	—
`9.17`	affected	generic	—
`9.18`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the SAP NetWeaver security patch referenced in SAP Note 3678313
Restrict privileged user accounts and enforce least‑privilege access to limit the ability to submit crafted input
Implement input validation controls or enable defensive checks to detect and reject malformed or uniquely‑characterized requests before they reach the kernel

Generated by OpenCVE AI on April 17, 2026 at 20:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://me.sap.com/notes/3678313
https://url.sap/sapsecuritypatchday

History

Tue, 17 Feb 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Sap netweaver As Abap Kernel Sap netweaver As Abap Krnl64nuc Sap netweaver As Abap Krnl64uc
Weaknesses		CWE-787
CPEs		cpe:2.3:a:sap:netweaver_as_abap_kernel:7.22:::::::* cpe:2.3:a:sap:netweaver_as_abap_kernel:7.54:::::::* cpe:2.3:a:sap:netweaver_as_abap_kernel:7.77:::::::* cpe:2.3:a:sap:netweaver_as_abap_kernel:7.89:::::::* cpe:2.3:a:sap:netweaver_as_abap_kernel:7.93:::::::* cpe:2.3:a:sap:netweaver_as_abap_kernel:9.16:::::::* cpe:2.3:a:sap:netweaver_as_abap_kernel:9.17:::::::* cpe:2.3:a:sap:netweaver_as_abap_kernel:9.18:::::::* cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.22:::::::* cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.22ext:::::::* cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.22:::::::*
Vendors & Products		Sap Sap netweaver As Abap Kernel Sap netweaver As Abap Krnl64nuc Sap netweaver As Abap Krnl64uc

Tue, 10 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Feb 2026 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Se Sap Se sap Netweaver And Abap Platform (application Server Abap)
Vendors & Products		Sap Se Sap Se sap Netweaver And Abap Platform (application Server Abap)

Tue, 10 Feb 2026 03:45:00 +0000

Type	Values Removed	Values Added
Description		Due to improper memory management in SAP NetWeaver and ABAP Platform (Application Server ABAP), an authenticated attacker could exploit logical errors in memory management by supplying specially crafted input containing unique characters, which are improperly converted. This may result in memory corruption and the potential leakage of memory content. Successful exploitation of this vulnerability would have a low impact on the confidentiality of the application, with no effect on its integrity or availability.
Title		Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP)
Weaknesses		CWE-113
References		https://me.sap.com/notes/3678313 https://url.sap/sapsecuritypatchday
Metrics		cvssV3_1 `{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Sap Netweaver As Abap Kernel Netweaver As Abap Krnl64nuc Netweaver As Abap Krnl64uc

Sap Se Sap Netweaver And Abap Platform (application Server Abap)

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2026-02-10T03:03:42.731Z

Updated: 2026-02-10T16:25:30.720Z

Reserved: 2026-01-21T22:15:36.672Z

Link: CVE-2026-24320

Vulnrichment

Updated: 2026-02-10T16:25:27.792Z

NVD

Status : Analyzed

Published: 2026-02-10T04:16:03.990

Modified: 2026-02-17T15:27:30.400

Link: CVE-2026-24320

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T21:00:12Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object