CVE-2026-50468: Update SQL Server 2025 to Fix Data Leak

Microsoft has patched CVE-2026-50468, an information-disclosure vulnerability in SQL Server 2025 that can let an authenticated attacker read sensitive information remotely. The fix shipped on July 14, 2026, in KB5101346 for the CU servicing branch and KB5102333 for the GDR branch.
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, the flaw is a buffer over-read in the SQL Server Database Engine. Microsoft rates it Important with a CVSS 3.1 score of 6.5, reflecting potentially serious confidentiality loss without the code execution, data modification, or service disruption associated with higher-impact SQL Server bugs.
Administrators should update CU-based installations to build 17.0.4060.2 and GDR installations to build 17.0.1125.2. Because the July packages address several additional SQL Server vulnerabilities, including remote-code-execution and elevation-of-privilege flaws, deployment priority should be based on the complete security release rather than CVE-2026-50468 in isolation.

SQL Server 2025 security graphic highlights CVE-2026-50468, buffer over-read risks, protected data, and compatibility warnings.Authentication Narrows the Door, Not the Damage​

The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. In practical terms, exploitation can occur over a network, requires low privileges, has low attack complexity, and needs no action from another user.
That makes CVE-2026-50468 different from an unauthenticated, internet-wide SQL Server exploit. An attacker must first possess valid authorization to the database service, whether through a legitimate low-privilege account, stolen credentials, a compromised application identity, or another foothold that provides SQL access.
Once that prerequisite is satisfied, however, Microsoft’s scoring indicates a high potential impact on confidentiality. The flaw does not receive integrity or availability impact under the published assessment, so Microsoft is not claiming that it can directly alter data, take control of the server, or crash the Database Engine.
The vulnerability is categorized as CWE-126, buffer over-read. This class of memory-safety problem occurs when software reads beyond the intended boundary of a buffer, potentially exposing adjacent memory. Depending on what SQL Server has stored nearby at the time, such a disclosure could reveal data that the requesting account was not meant to receive.
Microsoft has not publicly documented the specific query, protocol exchange, or affected Database Engine operation needed to trigger the condition. That limits defenders’ ability to create a narrowly targeted detection rule, but it also means the public advisory does not hand attackers a ready-made exploitation recipe.
CISA’s initial Stakeholder-Specific Vulnerability Categorization record reported no observed exploitation, assessed the attack as not readily automatable, and classified the technical impact as partial. The National Vulnerability Database was still awaiting its own enrichment analysis on July 15, one day after Microsoft published the CVE.

The Affected Range Is Unusually Narrow​

Microsoft’s current product data lists SQL Server 2025 rather than the older SQL Server 2022, 2019, 2017, and 2016 branches as affected by CVE-2026-50468. That distinction matters because the July 2026 SQL Server release contains other CVEs with much wider version coverage.
For SQL Server 2025 systems following the cumulative-update branch, vulnerable builds are those earlier than 17.0.4060.2 in the applicable CU6 servicing range. KB5101346 advances the Database Engine to product version 17.0.4060.2 and file version 2025.170.4060.2.
The CU package applies to SQL Server 2025 on both Windows and Linux across all editions. Microsoft says it can be installed over SQL Server 2025 or any SQL Server 2025 CU through the CU6 GDR baseline.
Systems maintained on the General Distribution Release branch require KB5102333 instead. That package advances the GDR branch to 17.0.1125.2. Administrators should not switch servicing branches casually or select a package solely because its build number appears higher; the applicable update depends on the existing SQL Server servicing track.
A quick inventory should therefore capture more than the major product version. On each instance, administrators can retrieve the exact build and edition with:
Code:
SELECT
    SERVERPROPERTY('ProductVersion') AS ProductVersion,
    SERVERPROPERTY('ProductLevel') AS ProductLevel,
    SERVERPROPERTY('Edition') AS Edition;
The returned build should then be compared with the relevant fixed baseline. Version 17.0.4060.2 or later is the target for the CU branch, while 17.0.1125.2 or later is the target for the GDR branch.

July’s SQL Server Package Carries More Than One Fix​

KB5101346 is not a single-purpose patch. Microsoft lists seven security advisories in the SQL Server 2025 CU6 update, covering CVE-2026-50468 alongside elevation-of-privilege and remote-code-execution vulnerabilities.
That bundling changes the risk calculation. An organization might otherwise schedule a CVSS 6.5 information leak behind more urgent maintenance, particularly because Microsoft and CISA have not reported exploitation. The same package, however, also repairs SQL Server vulnerabilities with more severe consequences.
Microsoft distributes KB5101346 through Windows Update, the Microsoft Update Catalog, and the Download Center. Linux installations receive the updated SQL Server packages through Microsoft’s configured cumulative-update repository and the platform’s package-management tools.
The update requires a SQL Server service restart and should be treated as database maintenance rather than as a routine Windows client patch. Availability Groups, failover cluster instances, replication topologies, log shipping, backup infrastructure, and application connection pools all need to be considered in the deployment plan.
Administrators should confirm that replicas and nodes follow a supported upgrade sequence, validate failover readiness, and take or verify recoverable backups before servicing production instances. After installation, the SQL Server error log, Windows event logs, cluster state, SQL Agent jobs, application health checks, and replication queues should be reviewed before the maintenance window is closed.

Linked Servers Remain the Deployment Trap​

Microsoft documents a known issue affecting linked-server queries that use the MSDASQL OLE DB provider for ODBC drivers and specify a provider string through @provstr. A stricter Database Engine connection-validation check can reject configurations that worked on earlier builds.
Affected queries can fail with SQL Server error 7416:
Code:
Msg 7416, Level 16
Access to the remote server is denied because no login-mapping exists.
This behavior is not newly unique to CVE-2026-50468; Microsoft has documented it across multiple recent SQL Server security releases. It remains relevant because organizations using linked servers to reach non-SQL Server databases, legacy ODBC sources, reporting systems, or line-of-business platforms may encounter an application outage after patching.
Testing should include the actual linked-server workflows used in production, not merely a successful Database Engine startup. Teams should exercise scheduled imports, SQL Agent jobs, ETL packages, reporting queries, and stored procedures that traverse MSDASQL, particularly where provider strings or implicit login mappings are involved.
A compatibility problem does not make remaining on a vulnerable build the safer long-term choice. It does mean that database teams need a tested remediation for the linked-server configuration and a rollback plan appropriate to their availability requirements.
Microsoft also recommends enabling encryption with Extended Protection to strengthen SQL Server connections on Windows. That hardening measure does not replace KB5101346 or KB5102333, but it can reduce credential-relay and connection-security risks around the database environment.

CVE-2026-50468 is currently a confirmed but sparsely documented vulnerability: Microsoft has identified the buffer over-read, supplied a CVSS vector, named the affected SQL Server 2025 branches, and released corrected builds, while withholding the triggering mechanics. For administrators, the actionable line is therefore clear—move CU installations to 17.0.4060.2 or GDR installations to 17.0.1125.2, then verify linked-server behavior before declaring the July 2026 SQL Server maintenance complete.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
 

Back
Top