Skip to main content

SQL Server 2025 EUVDEUVD-2026-44224

| CVE-2026-50468 MEDIUM
Buffer Over-read (CWE-126)
2026-07-14 microsoft GHSA-89h6-3v24-5cwv
6.5
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
ENISA EUVD
HIGH
qualitative
vuln.today AI
6.5 MEDIUM

Network-reachable SQL Server requires only a valid low-privilege login; buffer over-read is read-only yielding C:H with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 22:06 vuln.today
CVE Published
Jul 14, 2026 - 17:09 cve.org
MEDIUM 6.5

DescriptionCVE.org

Buffer over-read in SQL Server allows an authorized attacker to disclose information over a network.

AnalysisAI

Buffer over-read in Microsoft SQL Server 2025 exposes server memory contents to low-privileged authenticated attackers over the network, resulting in high confidentiality impact with no integrity or availability consequences. Both the Cumulative Update 6 (CU 6) and General Distribution Release (GDR) servicing tracks on x64-based systems are confirmed affected per vendor CPE data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged SQL Server credentials
Delivery
Establish network connection to SQL Server (TCP 1433)
Exploit
Send crafted query triggering buffer over-read
Execution
Server reads beyond allocated buffer boundary
Impact
Extraneous memory contents returned to attacker over network

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid SQL Server login with at minimum low-privileged access (CVSS PR:L) - unauthenticated access is insufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 Medium score (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) reflects a network-reachable, low-complexity flaw yielding high confidentiality impact, but gated behind low-privileged authentication - meaning unauthenticated mass exploitation is not possible. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged SQL Server account - such as a read-only application service account or an internal developer login - connects to a SQL Server 2025 instance over the network and submits a crafted query or protocol message designed to trigger the buffer over-read in the server's data processing layer. The server reads beyond its intended memory buffer boundary and returns the extraneous memory contents to the authenticated client over the network, potentially exposing in-memory data such as result-set fragments, session data, or other co-resident sensitive information. …
Remediation Apply the vendor-released security update per Microsoft's MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50468; the input data confirms a patch is available but does not specify the exact fixed build numbers - these must be verified directly from the advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44224 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy