CVE-2026-32176

Summary

Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.

Affected Software

VendorProductVersion RangeStatus
MicrosoftMicrosoft SQL Server 2016 Service Pack 3 (GDR)13.0.0 < 13.0.6485.1affected
MicrosoftMicrosoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack13.0.0 < 13.0.7080.1affected
MicrosoftMicrosoft SQL Server 2017 (CU 31)14.0.0 < 14.0.3525.1affected
MicrosoftMicrosoft SQL Server 2017 (GDR)14.0.0 < 14.0.2105.1affected
MicrosoftMicrosoft SQL Server 2019 (CU 32)15.0.0.0 < 15.0.4465.1affected
MicrosoftMicrosoft SQL Server 2019 (GDR)15.0.0 < 15.0.2165.1affected
MicrosoftMicrosoft SQL Server 2022 (GDR)16.0.0 < 16.0.1175.1affected
MicrosoftMicrosoft SQL Server 2022 for x64-based Systems (CU 24)16.0.0.0 < 16.0.4250.1affected
MicrosoftMicrosoft SQL Server 2025 (CU 3)17.0.4030.1 < 17.0.4030.1affected
MicrosoftMicrosoft SQL Server 2025 for x64-based Systems (GDR)17.0.1050.2 < 17.0.1110.1affected

Weaknesses

  • CWE-89: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References