VYPR
High severity8.8NVD Advisory· Published Apr 14, 2026· Updated May 6, 2026

CVE-2026-33120

CVE-2026-33120

Description

Untrusted pointer dereference in SQL Server allows an authorized attacker to execute code over a network.

Affected products

5
  • cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*+ 4 more
    • cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*range: >=13.0.6300.2,<13.0.6485.1
    • cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*range: >=14.0.1000.169,<14.0.2105.1
    • cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*range: >=15.0.2000.5,<15.0.2165.1
    • cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*range: >=16.0.1000.6,<16.0.1175.1
    • cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*range: >=17.0.1000.7,<17.0.1110.1

Patches

Vulnerability mechanics

References

1

News mentions

1