Description
Untrusted pointer dereference in SQL Server allows an authorized attacker to execute code over a network.
Published: 2026-04-14
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Untrusted pointer dereference in SQL Server allows an authorized attacker to execute code over a network, resulting in full remote code execution. The flaw corresponds to CWE‑822, indicating that a bad pointer is dereferenced without proper validation, enabling an attacker to run arbitrary code with the privileges of the SQL Server service.

Affected Systems

Microsoft SQL Server 2022 GDR is affected. No other product versions are explicitly listed.

Risk and Exploitability

The CVSS score is 8.8, indicating high severity. Exploit probability information is not available, and the vulnerability is not present in the CISA KEV catalog. Attackers likely require authorized network access to the SQL Server instance; an authenticated user could leverage this flaw to gain code execution rights over the network.

Generated by OpenCVE AI on April 14, 2026 at 19:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft SQL Server 2022 GDR security update identified in the Microsoft Security Update Guide for CVE-2026-33120.
  • Verify that the patch has been installed by checking the SQL Server version and confirming the hotfix application.
  • Until the patch is applied, restrict network access to the SQL Server and enforce least‑privilege for database users.
  • Enable audit logging and review logs for suspicious or unauthorized connection attempts.

Generated by OpenCVE AI on April 14, 2026 at 19:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Untrusted pointer dereference in SQL Server allows an authorized attacker to execute code over a network.
Title Microsoft SQL Server Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft sql Server 2022
Weaknesses CWE-822
CPEs cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*
Vendors & Products Microsoft
Microsoft sql Server 2022
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sql Server 2022
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-15T21:54:45.132Z

Reserved: 2026-03-17T20:15:23.721Z

Link: CVE-2026-33120

cve-icon Vulnrichment

Updated: 2026-04-14T19:11:51.991Z

cve-icon NVD

Status : Received

Published: 2026-04-14T18:17:34.420

Modified: 2026-04-14T18:17:34.420

Link: CVE-2026-33120

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:00:06Z

Weaknesses