CVE-2026-42990

Microsoft · Windows

A heap-based buffer overflow exists in the SQL Server ODBC driver on various Windows versions, allowing unauthenticated remote code execution.

Executive summary

A critical heap-based buffer overflow in the SQL Server ODBC driver affects multiple versions of Windows and allows for unauthenticated remote code execution.

Vulnerability

The vulnerability is a heap-based buffer overflow (CWE-122) within the SQL Server ODBC driver. An unauthenticated attacker can trigger this flaw over a network to execute arbitrary code on the host system.

Business impact

This vulnerability carries a CVSS score of 9.8, reflecting its potential for full system compromise. Successful exploitation could allow an attacker to gain complete control over affected servers, leading to unauthorized data access, lateral movement within the network, and significant operational downtime.

Remediation

Immediate Action: Apply the vendor-supplied security updates immediately to bring systems to the non-vulnerable build versions listed in the metadata.

Proactive Monitoring: Monitor network traffic for unusual patterns directed at database ports and review system logs for signs of unexpected process execution or memory corruption errors.

Compensating Controls: Deploy network segmentation to restrict access to the SQL Server ODBC driver interfaces to only known and trusted hosts.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

Given the critical severity and the potential for remote code execution without authentication, administrators must prioritize patching this vulnerability across all identified Windows platforms. Apply the available updates as soon as possible to mitigate the risk of system compromise.