PT-2026-24260 · Microsoft · Sql Server 2016 Sp3+2
Erland Sommarskog
·
Published
2026-03-10
·
Updated
2026-04-22
·
CVE-2026-21262
CVSS v2.0
9.0
High
| AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
SQL Server versions 2016 SP3 through 2025
Description
An improper access control issue in SQL Server allows an authorized attacker to elevate privileges over a network. An attacker can gain
sysadmin privileges remotely on affected SQL Server instances.Recommendations
Apply the patch released in Microsoft’s March 2026 Patch Tuesday to all SQL Server versions from 2016 SP3 through 2025.
Fix
LPE
DoS
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sql Server
Sql Server 2016 Sp3
Sql Server 2025