{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33120", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-03-17T20:15:23.721Z", "datePublished": "2026-04-14T16:57:48.207Z", "dateUpdated": "2026-05-12T17:38:42.475Z"}, "containers": {"cna": {"title": "Microsoft SQL Server Remote Code Execution Vulnerability", "datePublic": "2026-04-14T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*", "versionStartIncluding": "16.0.0", "versionEndExcluding": "16.0.1175.1"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft SQL Server 2022 (GDR)", "platforms": ["x64-based Systems"], "versions": [{"version": "16.0.0", "lessThan": "16.0.1175.1", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Untrusted pointer dereference in SQL Server allows an authorized attacker to execute code over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-822: Untrusted Pointer Dereference", "lang": "en-US", "type": "CWE", "cweId": "CWE-822"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-12T17:38:42.475Z"}, "references": [{"name": "Microsoft SQL Server Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33120"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-33120"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T03:57:04.991Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33120", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T19:11:50.900767Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T19:11:51.991Z"}}], "cna": {"title": "Microsoft SQL Server Remote Code Execution Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft SQL Server 2022 (GDR)", "versions": [{"status": "affected", "version": "16.0.0", "lessThan": "16.0.1175.1", "versionType": "custom"}], "platforms": ["x64-based Systems"]}], "datePublic": "2026-04-14T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33120", "name": "Microsoft SQL Server Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Untrusted pointer dereference in SQL Server allows an authorized attacker to execute code over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-822", "description": "CWE-822: Untrusted Pointer Dereference"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*", "vulnerable": true, "versionEndExcluding": "16.0.1175.1", "versionStartIncluding": "16.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-12T17:38:42.475Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33120", "state": "PUBLISHED", "dateUpdated": "2026-05-12T17:38:42.475Z", "dateReserved": "2026-03-17T20:15:23.721Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-04-14T16:57:48.207Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*", "matchCriteriaId": "8BABE301-AB13-4B54-847B-F67EC92CD96C", "versionEndExcluding": "13.0.6485.1", "versionStartIncluding": "13.0.6300.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*", "matchCriteriaId": "31FD6563-A0B9-48C9-BA0B-BF256BFC466D", "versionEndExcluding": "13.0.7080.1", "versionStartIncluding": "13.0.7000.253", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*", "matchCriteriaId": "02D807B3-0DE8-4E79-AE5A-574AD32834D4", "versionEndExcluding": "14.0.2105.1", "versionStartIncluding": "14.0.1000.169", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*", "matchCriteriaId": "F8B94B39-1964-486F-9532-5557C87AFC87", "versionEndExcluding": "14.0.3525.1", "versionStartIncluding": "14.0.3006.16", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*", "matchCriteriaId": "EA4AB606-8B66-4C89-8773-4DA1E25FB2AB", "versionEndExcluding": "15.0.2165.1", "versionStartIncluding": "15.0.2000.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*", "matchCriteriaId": "450ADCF3-0476-4CBE-A0F6-28AE90E9E874", "versionEndExcluding": "15.0.4465.1", "versionStartIncluding": "15.0.4003.23", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*", "matchCriteriaId": "FE44A0AE-ECDE-4348-923B-205C691E87DA", "versionEndExcluding": "16.0.1175.1", "versionStartIncluding": "16.0.1000.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*", "matchCriteriaId": "4BFEE9EB-DB7B-490D-AF61-A0162F9FE782", "versionEndExcluding": "16.0.4250.1", "versionStartIncluding": "16.0.4003.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*", "matchCriteriaId": "FC0EA29C-9CF8-4ED7-B726-BBACF39DA1A8", "versionEndExcluding": "17.0.1110.1", "versionStartIncluding": "17.0.1000.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*", "matchCriteriaId": "8220A87D-84FB-43FA-8DF0-2B4D50E69164", "versionEndExcluding": "17.0.4030.1", "versionStartIncluding": "17.0.4006.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Untrusted pointer dereference in SQL Server allows an authorized attacker to execute code over a network."}], "id": "CVE-2026-33120", "lastModified": "2026-05-06T12:49:30.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-04-14T18:17:34.420", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33120"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-822"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["x64-based_systems"], "status": "affected", "versions": {"scheme": "generic", "value": "[16.0.0,16.0.1175.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Microsoft SQL Server 2022 (GDR)", "source": "cna", "vendor": "Microsoft"}, "product": "sql_server_2022", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-14T19:54:39.107094+00:00", "value": {"mitigation_remediation": ["Apply the Microsoft SQL Server 2022 GDR security update identified in the Microsoft Security Update Guide for CVE-2026-33120.", "Verify that the patch has been installed by checking the SQL Server version and confirming the hotfix application.", "Until the patch is applied, restrict network access to the SQL Server and enforce least\u2011privilege for database users.", "Enable audit logging and review logs for suspicious or unauthorized connection attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Microsoft SQL Server 2022 GDR is affected. No other product versions are explicitly listed.", "description_and_impact": "Untrusted pointer dereference in SQL Server allows an authorized attacker to execute code over a network, resulting in full remote code execution. The flaw corresponds to CWE\u2011822, indicating that a bad pointer is dereferenced without proper validation, enabling an attacker to run arbitrary code with the privileges of the SQL Server service.", "risk_and_exploitability": "The CVSS score is 8.8, indicating high severity. Exploit probability information is not available, and the vulnerability is not present in the CISA KEV catalog. Attackers likely require authorized network access to the SQL Server instance; an authenticated user could leverage this flaw to gain code execution rights over the network."}}}}, "created": "2026-04-15T14:31:56.921522+00:00", "updated": "2026-04-15T15:00:06.171819+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$sql_server_2022"]}