CVE-2026-47295: Patch SQL Server 2016–2025 Privilege Escalation

Microsoft’s July 14, 2026 security updates fix CVE-2026-47295 across supported releases from SQL Server 2016 SP3 through SQL Server 2025. Administrators should inventory every SQL Server instance, identify its exact build and servicing branch, then install the matching GDR or CU-based security package.
Detailed in Microsoft’s Security Update Guide, CVE-2026-47295 is an SQL injection flaw that allows an authenticated attacker to elevate privileges over a network. Microsoft rates it Important with a CVSS 3.1 base score of 8.8; exploitation requires low privileges but no user interaction, and a successful attack could compromise confidentiality, integrity, and availability.
There is no separate driver package to chase down. Microsoft says any applicable driver fixes are included in the SQL Server security updates.

A cybersecurity analyst monitors patched SQL Server versions, update levels, compliance, and protection against SQL injection.Inventory the Build Before Selecting a Package​

The first task is to identify every installed instance, including named instances, clustered deployments, development servers and SQL Server installations embedded in other products. Checking only the SQL Server product year is not sufficient because Microsoft publishes separate packages for the GDR and CU servicing branches.
Run the following query against each Database Engine instance:
Code:
SELECT
    SERVERPROPERTY('ServerName') AS ServerName,
    SERVERPROPERTY('Edition') AS Edition,
    SERVERPROPERTY('ProductVersion') AS ProductVersion,
    SERVERPROPERTY('ProductLevel') AS ProductLevel,
    SERVERPROPERTY('ProductUpdateLevel') AS ProductUpdateLevel,
    SERVERPROPERTY('ProductUpdateReference') AS ProductUpdateReference;
ProductVersion supplies the four-part build number used to select the update. ProductUpdateLevel can help identify a CU installation, while ProductUpdateReference may return the associated KB number.
Administrators can also run SELECT @@VERSION, inspect the opening lines of the SQL Server error log, or view the instance properties in SQL Server Management Studio. Microsoft’s KB321185 documentation describes these inventory methods, but the actionable value is the build number—for example, 16.0.4255.1 rather than simply “SQL Server 2022.”

Match Each Instance to the July Security Build​

Microsoft has released ten packages covering the supported GDR and CU branches. Install the package corresponding to the current build range of each instance.
Current SQL Server branchInstallPatched build
SQL Server 2025 CU branch, builds 17.0.4006.2–17.0.4055.5KB510134617.0.4060.2
SQL Server 2025 RTM/GDR branch, builds 17.0.1000.7–17.0.1115.1KB510233317.0.1125.2
SQL Server 2022 CU branch, builds 16.0.4003.1–16.0.4255.1KB510134716.0.4262.2
SQL Server 2022 RTM/GDR branch, builds 16.0.1000.6–16.0.1180.1KB510233416.0.1190.2
SQL Server 2019 CU branch, builds 15.0.4003.23–15.0.4470.1KB510233515.0.4480.2
SQL Server 2019 RTM/GDR branch, builds 15.0.2000.5–15.0.2170.1KB510233615.0.2180.2
SQL Server 2017 CU branch, builds 14.0.3006.16–14.0.3530.2KB510233714.0.3540.1
SQL Server 2017 RTM/GDR branch, builds 14.0.1000.169–14.0.2110.2KB510233814.0.2120.1
SQL Server 2016 Azure Connect Feature Pack, builds 13.0.7000.253–13.0.7085.1KB510233913.0.7095.1
SQL Server 2016 SP3/GDR, builds 13.0.6300.2–13.0.6490.1KB510234013.0.6500.1
An instance whose build does not appear in Microsoft’s applicability ranges may be running an unsupported baseline. In that case, the answer is not to force-install the closest package: upgrade to a supported SQL Server product or applicable supported baseline before attempting to apply current security fixes.
The July packages may also remediate other SQL Server vulnerabilities, depending on product version. For example, Microsoft’s SQL Server 2022 CU25 security release, KB5101347, also addresses CVE-2026-47296, CVE-2026-54118 and CVE-2026-55002.

Stay on the Existing Servicing Branch​

A General Distribution Release is the lower-change servicing path. GDR packages cumulatively provide security and other broadly applicable critical fixes for their baseline, without pulling in the full catalog of functional corrections delivered through CUs.
A Cumulative Update contains security fixes plus the functional fixes, reliability improvements and other changes accumulated for that baseline. The CU25+GDR designation on KB5101347 therefore means a security release built for SQL Server 2022 installations following the CU servicing branch through CU25.
The practical selection rule is straightforward:
  • An instance that has intentionally received only RTM or GDR updates should receive the matching RTM/GDR package.
  • An instance already running a CU build should receive the corresponding CU-based security package.
  • An instance still at an untouched baseline can adopt either path, but that choice should follow the organization’s established SQL Server servicing policy.
Installing a CU package moves the instance onto the CU servicing path. Microsoft warns that this is effectively a one-way servicing decision for that installation: once a CU has been applied, administrators cannot simply return to the GDR branch.
This distinction matters in controlled production environments. Choosing the CU package for a GDR-only server may introduce many nonsecurity changes that have not gone through the organization’s application certification process. Choosing the RTM/GDR package for an established CU installation, meanwhile, is not the supported way to patch that branch.

Test Linked Servers Using MSDASQL​

Microsoft documents a known issue in at least the SQL Server 2025 CU6 and SQL Server 2022 CU25 security releases. Linked-server queries using the MSDASQL OLE DB Provider for ODBC Drivers can fail with SQL Server error 7416 when the linked-server definition specifies a provider string through @provstr.
The updated Database Engine performs stricter connection validation and can reject configurations accepted by earlier builds. Affected queries may return an error stating that access to the remote server is denied because no login mapping exists.
That does not justify leaving CVE-2026-47295 exposed, but it does make pre-production testing important. Before broad deployment, administrators should identify linked servers using MSDASQL, validate their login mappings and execute representative distributed queries against a patched test instance.
High-availability deployments require the usual sequencing discipline. Patch secondary replicas or passive nodes first where the architecture permits, perform failover testing, then service the remaining nodes. Backups should be current and restoration procedures verified before changing production database engines.

Windows Update Is Available, but Fleet Control Still Matters​

The security releases are available through Windows Update, Microsoft Update Catalog and Microsoft Download Center. SQL Server instances hosted in Azure virtual machines are also eligible; IaaS placement does not remove the need to patch the guest SQL Server installation.
Automatic updating may be acceptable for workstations and low-risk development systems, but production database fleets usually need deliberate scheduling. SQL Server servicing can restart services, interrupt active connections and affect dependent applications, so administrators should coordinate maintenance windows rather than treating this like an ordinary client-side Windows update.
Linux-hosted SQL Server 2022 and SQL Server 2025 installations are also covered by the relevant security releases. Microsoft directs Linux administrators to use the configured SQL Server CU repository and the package-management command appropriate to their distribution.
After installation, rerun the version query and confirm that every instance reports the expected patched build. Also review the SQL Server setup logs, bring availability replicas back into synchronization, verify SQL Agent jobs and test application connectivity.
The minimum safe outcome is not merely that an update package ran—it is that every supported SQL Server instance now reports one of Microsoft’s fixed builds and remains operational under its existing GDR or CU servicing policy.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: learn.microsoft.com
  3. Official source: support.microsoft.com
 

Back
Top