Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-reachable with low-privilege auth required; type confusion yields read-only data disclosure with no integrity or availability impact.
Primary rating from Vendor (microsoft).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
Access of resource using incompatible type ('type confusion') in SQL Server allows an authorized attacker to disclose information over a network.
AnalysisAI
Type confusion (CWE-843) in Microsoft SQL Server 2025 enables authenticated, low-privileged network attackers to disclose sensitive server-side information. The CVSS vector (AV:N/PR:L/C:H) confirms that any authorized database user - regardless of their data access permissions - can potentially trigger the flaw remotely with no user interaction required. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid, authenticated database session with at least low-privilege access (PR:L per CVSS) to the SQL Server 2025 instance. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 Medium score is grounded in a realistic threat model: AV:N confirms network reachability, AC:L indicates no special timing or race conditions, but PR:L anchors the risk firmly to authenticated database sessions - unauthenticated exploitation is not possible per the CVSS vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a low-privileged SQL Server account - such as a read-only reporting account or a compromised service account - connects to the SQL Server 2025 instance over the network and submits a crafted query or function call that triggers the type confusion in the server's query processor or memory management layer. The server misinterprets the resource type and returns memory contents or data from a region the user is not authorized to read, disclosing sensitive information to the attacker. … |
| Remediation | Apply the vendor-released patch available through the Microsoft Security Response Center at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-54116. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote code execution in Microsoft SQL Server (2016 SP3 through 2025) allows an authenticated, low-privileged attacker t
Remote code execution in Microsoft SQL Server 2025 (CU6 and the x64 GDR branch) lets an authenticated attacker run arbit
Privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an authenticated attacker to inject crafted S
Local privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an already-authenticated database user
Local privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an already-authenticated database user
Buffer over-read in Microsoft SQL Server 2025 exposes server memory contents to low-privileged authenticated attackers o
Same technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44225
GHSA-g4mf-v8c5-8rjm