{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21262", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-12-11T21:02:05.737Z", "datePublished": "2026-03-10T17:04:32.361Z", "dateUpdated": "2026-04-14T16:35:25.676Z"}, "containers": {"cna": {"title": "SQL Server Elevation of Privilege Vulnerability", "datePublic": "2026-03-10T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:-:*:*:*:*:x64:*", "versionStartIncluding": "14.0.0", "versionEndExcluding": "14.0.2100.4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*", "versionStartIncluding": "15.0.0", "versionEndExcluding": "15.0.2160.4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:sp3:*:*:*:*:x64:*", "versionStartIncluding": "13.0.0", "versionEndExcluding": "13.0.6480.4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:-:*:*:*:*:x64:*", "versionStartIncluding": "14.0.0", "versionEndExcluding": "14.0.3520.4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:sp3:*:*:*:*:x64:*", "versionStartIncluding": "13.0.0", "versionEndExcluding": "13.0.7075.5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*", "versionStartIncluding": "16.0.0", "versionEndExcluding": "16.0.1170.5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*", "versionStartIncluding": "17.0.1050.2", "versionEndExcluding": "17.0.1105.2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*", "versionStartIncluding": "15.0.0.0", "versionEndExcluding": "15.0.4460.4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*", "versionStartIncluding": "16.0.0.0", "versionEndExcluding": "16.0.4240.4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*", "versionStartIncluding": "17.0.0.0", "versionEndExcluding": "17.0.4020.2"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft SQL Server 2016 Service Pack 3 (GDR)", "platforms": ["x64-based Systems"], "versions": [{"version": "13.0.0", "lessThan": "13.0.6480.4", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack", "platforms": ["x64-based Systems"], "versions": [{"version": "13.0.0", "lessThan": "13.0.7075.5", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2017 (CU 31)", "platforms": ["x64-based Systems"], "versions": [{"version": "14.0.0", "lessThan": "14.0.3520.4", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2017 (GDR)", "platforms": ["x64-based Systems"], "versions": [{"version": "14.0.0", "lessThan": "14.0.2100.4", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2019 (CU 32)", "platforms": ["x64-based Systems"], "versions": [{"version": "15.0.0.0", "lessThan": "15.0.4460.4", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2019 (GDR)", "platforms": ["x64-based Systems"], "versions": [{"version": "15.0.0", "lessThan": "15.0.2160.4", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2022 (GDR)", "platforms": ["x64-based Systems"], "versions": [{"version": "16.0.0", "lessThan": "16.0.1170.5", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2022 for x64-based Systems (CU 23)", "platforms": ["x64-based Systems"], "versions": [{"version": "16.0.0.0", "lessThan": "16.0.4240.4", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2025 (CU 2)", "platforms": ["x64-based Systems"], "versions": [{"version": "17.0.0.0", "lessThan": "17.0.4020.2", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2025 for x64-based Systems (GDR)", "platforms": ["x64-based Systems"], "versions": [{"version": "17.0.1050.2", "lessThan": "17.0.1105.2", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-284: Improper Access Control", "lang": "en-US", "type": "CWE", "cweId": "CWE-284"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:35:25.676Z"}, "references": [{"name": "SQL Server Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21262"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-21262"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T03:56:00.384Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21262", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T18:40:14.366473Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T18:40:15.451Z"}}], "cna": {"title": "SQL Server Elevation of Privilege Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft SQL Server 2016 Service Pack 3 (GDR)", "versions": [{"status": "affected", "version": "13.0.0", "lessThan": "13.0.6480.4", "versionType": "custom"}], "platforms": ["x64-based Systems"]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack", "versions": [{"status": "affected", "version": "13.0.0", "lessThan": "13.0.7075.5", "versionType": "custom"}], "platforms": ["x64-based Systems"]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2017 (CU 31)", "versions": [{"status": "affected", "version": "14.0.0", "lessThan": "14.0.3520.4", "versionType": "custom"}], "platforms": ["x64-based Systems"]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2017 (GDR)", "versions": [{"status": "affected", "version": "14.0.0", "lessThan": "14.0.2100.4", "versionType": "custom"}], "platforms": ["x64-based Systems"]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2019 (CU 32)", "versions": [{"status": "affected", "version": "15.0.0.0", "lessThan": "15.0.4460.4", "versionType": "custom"}], "platforms": ["x64-based Systems"]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2019 (GDR)", "versions": [{"status": "affected", "version": "15.0.0", "lessThan": "15.0.2160.4", "versionType": "custom"}], "platforms": ["x64-based Systems"]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2022 (GDR)", "versions": [{"status": "affected", "version": "16.0.0", "lessThan": "16.0.1170.5", "versionType": "custom"}], "platforms": ["x64-based Systems"]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2022 for x64-based Systems (CU 23)", "versions": [{"status": "affected", "version": "16.0.0.0", "lessThan": "16.0.4240.4", "versionType": "custom"}], "platforms": ["x64-based Systems"]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2025 (CU 2)", "versions": [{"status": "affected", "version": "17.0.0.0", "lessThan": "17.0.4020.2", "versionType": "custom"}], "platforms": ["x64-based Systems"]}, {"vendor": "Microsoft", "product": "Microsoft SQL Server 2025 for x64-based Systems (GDR)", "versions": [{"status": "affected", "version": "17.0.1050.2", "lessThan": "17.0.1105.2", "versionType": "custom"}], "platforms": ["x64-based Systems"]}], "datePublic": "2026-03-10T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21262", "name": "SQL Server Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:-:*:*:*:*:x64:*", "vulnerable": true, "versionEndExcluding": "14.0.2100.4", "versionStartIncluding": "14.0.0"}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*", "vulnerable": true, "versionEndExcluding": "15.0.2160.4", "versionStartIncluding": "15.0.0"}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:sp3:*:*:*:*:x64:*", "vulnerable": true, "versionEndExcluding": "13.0.6480.4", "versionStartIncluding": "13.0.0"}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:-:*:*:*:*:x64:*", "vulnerable": true, "versionEndExcluding": "14.0.3520.4", "versionStartIncluding": "14.0.0"}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:sp3:*:*:*:*:x64:*", "vulnerable": true, "versionEndExcluding": "13.0.7075.5", "versionStartIncluding": "13.0.0"}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*", "vulnerable": true, "versionEndExcluding": "16.0.1170.5", "versionStartIncluding": "16.0.0"}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*", "vulnerable": true, "versionEndExcluding": "17.0.1105.2", "versionStartIncluding": "17.0.1050.2"}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*", "vulnerable": true, "versionEndExcluding": "15.0.4460.4", "versionStartIncluding": "15.0.0.0"}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*", "vulnerable": true, "versionEndExcluding": "16.0.4240.4", "versionStartIncluding": "16.0.0.0"}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*", "vulnerable": true, "versionEndExcluding": "17.0.4020.2", "versionStartIncluding": "17.0.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:35:25.676Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21262", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:35:25.676Z", "dateReserved": "2025-12-11T21:02:05.737Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-10T17:04:32.361Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*", "matchCriteriaId": "0512F204-5C6C-416C-BAE9-37A46C517A5B", "versionEndExcluding": "13.0.6480.4", "versionStartIncluding": "13.0.6300.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*", "matchCriteriaId": "FF21E018-C759-44FA-B1BF-1A97054606E7", "versionEndExcluding": "13.0.7075.5", "versionStartIncluding": "13.0.7000.253", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*", "matchCriteriaId": "36B7482B-D75C-4EFD-AD60-251BAD0A9FE4", "versionEndExcluding": "14.0.2100.4", "versionStartIncluding": "14.0.1000.169", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*", "matchCriteriaId": "AAE03DE1-E3F6-4450-9B06-695C0BEC4517", "versionEndExcluding": "14.0.3520.4", "versionStartIncluding": "14.0.3006.16", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*", "matchCriteriaId": "EB3E749F-531E-4516-A23E-C62FB6564CE3", "versionEndExcluding": "15.0.2160.4", "versionStartIncluding": "15.0.2000.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*", "matchCriteriaId": "06D61310-5AD1-4CFB-9416-EA47CEE5479B", "versionEndExcluding": "15.4460.4", "versionStartIncluding": "15.0.4003.23", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*", "matchCriteriaId": "930A8DB4-E8DF-4C8B-8D7C-43DDB705D5E6", "versionEndExcluding": "16.0.1170.5", "versionStartIncluding": "16.0.1000.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*", "matchCriteriaId": "DA833891-A29B-46C0-8945-693E70C0AA57", "versionEndExcluding": "16.0.4240.4", "versionStartIncluding": "16.0.4003.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*", "matchCriteriaId": "9498FF0D-E8A3-4430-AE23-EC2BF0631002", "versionEndExcluding": "17.0.1105.2", "versionStartIncluding": "17.0.1000.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*", "matchCriteriaId": "EE7E80DA-728A-4BA2-9D72-71577FE83723", "versionEndExcluding": "17.0.4020.2", "versionStartIncluding": "17.0.4006.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network."}, {"lang": "es", "value": "Control de acceso inadecuado en SQL Server permite a un atacante autorizado elevar privilegios a trav\u00e9s de una red."}], "id": "CVE-2026-21262", "lastModified": "2026-03-13T19:33:50.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Secondary"}]}, "published": "2026-03-10T18:18:06.190", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21262"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "secure@microsoft.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["x64-based_systems"], "status": "affected", "versions": {"scheme": "generic", "value": "[13.0.0,13.0.6480.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Microsoft SQL Server 2016 Service Pack 3 (GDR)", "source": "cna", "vendor": "Microsoft"}, "product": "microsoft_sql_server_2016_service_pack_3_(gdr)", "vendor": "microsoft"}, {"configurations": [{"platform": ["x64-based_systems"], "status": "affected", "versions": {"scheme": "generic", "value": "[13.0.0,13.0.7075.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack", "source": "cna", "vendor": "Microsoft"}, "product": "microsoft_sql_server_2016_service_pack_3_azure_connect_feature_pack", "vendor": "microsoft"}, {"configurations": [{"platform": ["x64-based_systems"], "status": "affected", "versions": {"scheme": "generic", "value": "[14.0.0,14.0.3520.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Microsoft SQL Server 2017 (CU 31)", "source": "cna", "vendor": "Microsoft"}, "product": "microsoft_sql_server_2017_(cu_31)", "vendor": "microsoft"}, {"configurations": [{"platform": ["x64-based_systems"], "status": "affected", "versions": {"scheme": "generic", "value": "[14.0.0,14.0.2100.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Microsoft SQL Server 2017 (GDR)", "source": "cna", "vendor": "Microsoft"}, "product": "microsoft_sql_server_2017_(gdr)", "vendor": "microsoft"}, {"configurations": [{"platform": ["x64-based_systems"], "status": "affected", "versions": {"scheme": "generic", "value": "[15.0.0.0,15.0.4460.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Microsoft SQL Server 2019 (CU 32)", "source": "cna", "vendor": "Microsoft"}, "product": "microsoft_sql_server_2019_(cu_32)", "vendor": "microsoft"}, {"configurations": [{"platform": ["x64-based_systems"], "status": "affected", "versions": {"scheme": "generic", "value": "[15.0.0,16.0.1170.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Microsoft SQL Server 2019 (GDR)", "source": "cna", "vendor": "Microsoft"}, "product": "microsoft_sql_server_2019_(gdr)", "vendor": "microsoft"}, {"configurations": [{"platform": ["x64-based_systems"], "status": "affected", "versions": {"scheme": "generic", "value": "[16.0.0,16.0.1170.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Microsoft SQL Server 2022 (GDR)", "source": "cna", "vendor": "Microsoft"}, "product": "microsoft_sql_server_2022_(gdr)", "vendor": "microsoft"}, {"configurations": [{"platform": ["x64-based_systems"], "status": "affected", "versions": {"scheme": "generic", "value": "[16.0.0.0,16.0.4240.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Microsoft SQL Server 2022 for x64-based Systems (CU 23)", "source": "cna", "vendor": "Microsoft"}, "product": "microsoft_sql_server_2022_for_x64-based_systems_(cu_23)", "vendor": "microsoft"}, {"configurations": [{"platform": ["x64-based_systems"], "status": "affected", "versions": {"scheme": "generic", "value": "[17.0.0.0,17.0.4020.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Microsoft SQL Server 2025 (CU 2)", "source": "cna", "vendor": "Microsoft"}, "product": "microsoft_sql_server_2025_(cu_2)", "vendor": "microsoft"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[17.0.1050.2,17.0.1105.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Microsoft SQL Server 2025 for x64-based Systems (GDR)", "source": "cna", "vendor": "Microsoft"}, "product": "microsoft_sql_server_2025_for_x64-based_systems_(gdr)", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-03-16T23:36:06.713721+00:00", "value": {"mitigation_remediation": ["Apply the latest cumulative update for the affected SQL Server version as listed in the Microsoft Security Advisory for CVE-2026-21262", "Restart the SQL Server service after the patch is installed", "Verify that the updated access control policies are enforced and that no elevated privileges persist for unauthorized accounts", "Monitor audit logs for any abnormal privilege escalation incidents", "If a patch cannot be applied immediately, limit network exposure and enforce strict role-based access controls to mitigate the risk until remediation is possible."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected products are Microsoft SQL Server 2016 Service Pack 3, SQL Server 2016 Service Pack 3 Azure Connect Feature Pack, SQL Server 2017 (CU 31 and GDR), SQL Server 2019 (CU 32 and GDR), SQL Server 2022 (GDR and CU 23 for x64), and SQL Server 2025 (CU 2 and GDR for x64). The CVE data does not provide more granular version delineation beyond these packages, so all mentioned builds are considered vulnerable.", "description_and_impact": "Improper access control in Microsoft SQL Server allows an authorized attacker to elevate privileges over a network. The vulnerability is a CWE-284 (Improper Privilege Management) flaw, enabling the attacker to gain higher-level permissions and potentially execute operations reserved for administrators, compromising the confidentiality, integrity, and availability of the affected system.", "risk_and_exploitability": "The CVSS v3.1 score is 8.8, indicating high severity. The EPSS score is <1%, suggesting limited public exploitation evidence, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be network-based, requiring an authorized but partially privileged user to invoke the flaw; exploitation does not require local system access."}}}}, "created": "2026-03-11T11:47:02.106033+00:00", "updated": "2026-03-20T14:31:48.120464+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$microsoft_sql_server_2016_service_pack_3_(gdr)", "microsoft$PRODUCT$microsoft_sql_server_2016_service_pack_3_azure_connect_feature_pack", "microsoft$PRODUCT$microsoft_sql_server_2017_(cu_31)", "microsoft$PRODUCT$microsoft_sql_server_2017_(gdr)", "microsoft$PRODUCT$microsoft_sql_server_2019_(cu_32)", "microsoft$PRODUCT$microsoft_sql_server_2019_(gdr)", "microsoft$PRODUCT$microsoft_sql_server_2022_(gdr)", "microsoft$PRODUCT$microsoft_sql_server_2022_for_x64-based_systems_(cu_23)", "microsoft$PRODUCT$microsoft_sql_server_2025_(cu_2)", "microsoft$PRODUCT$microsoft_sql_server_2025_for_x64-based_systems_(gdr)"]}