Critical Memory Corruption Vulnerability Disclosed in SAP NetWeaver
SAP's July 2026 Security Patch Day addresses a critical memory corruption flaw in SAP NetWeaver Application Server ABAP, rated CVSS 9.9, alongside other significant vulnerabilities.

SAP has issued its July 2026 Security Patch Day updates, which include fixes for a critical memory corruption vulnerability affecting the SAP NetWeaver Application Server ABAP. The most severe of these issues, identified as CVE-2026-44747, carries a CVSS score of 9.9 and impacts multiple SAP kernel versions commonly used in enterprise environments. This update, released on July 14, comprises 16 new security notes and one GitHub security advisory, in addition to three updates for previously released notes. SAP strongly advises administrators to review their affected systems and prioritize the application of these critical patches via the SAP Support Portal.
The critical NetWeaver ABAP vulnerability, detailed in SAP Security Note 3747367, is described as a memory corruption issue that arises from improper handling of memory operations within an application. Successful exploitation could allow an attacker to alter program execution flow, gain unauthorized access to sensitive data, cause service disruptions, or execute malicious code. The vulnerability affects several SAP kernel and NetWeaver versions, including specific iterations of KRNL64NUC, KRNL64UC, and kernel versions 7.53 through 9.20. Organizations must verify their specific software components and patch levels before deploying the fixes. The CVSS vector indicates that exploitation is possible over the network with low complexity and privilege requirements, and without user interaction, posing a significant risk to confidentiality, integrity, and availability.
Beyond the critical NetWeaver flaw, SAP's July Patch Day also addresses two other high-severity vulnerabilities. CVE-2026-27690 is an HTTP request smuggling vulnerability in SAP Approuter versions prior to 20.10.0, rated at CVSS 9.1. This type of attack can enable threat actors to bypass front-end security measures or manipulate how back-end systems process HTTP requests. Another critical issue, CVE-2026-44761, affects SAP Commerce Cloud releases HY_COM 2205, COM_CLOUD 2211, and 2211-JDK21. This vulnerability stems from the use of insecure sample credentials, with a CVSS score of 9.1, potentially granting unauthorized access to sensitive environments.
SAP also provided an update to a June security note concerning CVE-2026-40128, a directory traversal vulnerability in the SAP NetWeaver Application Server Java Web Container. This flaw, with a CVSS score of 9.0, could allow attackers to access or modify files outside of their intended directories. The comprehensive list of vulnerabilities patched this month also includes issues in SAP Integration Suite Edge Integration Cell, SAProuter, SAP NetWeaver AS Java Configuration Wizard, SAP Approuter, SAP Commerce Cloud, SAP Change and Transport System Attach Tool, SAP NetWeaver Enterprise Portal, UI5 Web Components Base, SAP S/4HANA Project Management, SAP NetWeaver AS ABAP Business Server Pages, SAP S/4HANA Draft Operation, SAP S/4HANA Create Single Payment, SAP Fiori Launchpad, and SAP CRM WebClient UI.
Security teams are strongly advised to prioritize the patching of CVE-2026-44747 by applying SAP Note 3747367. It is recommended to validate kernel compatibility, test patches in non-production environments, and accelerate deployment for internet-facing or business-critical SAP NetWeaver instances. Additional security measures include restricting unnecessary network access to SAP application servers, reviewing privileged accounts, monitoring system logs for suspicious activities, and ensuring reliable backups are available prior to any maintenance operations.
SAP's monthly Security Patch Days are the vendor's established channel for releasing corrective Security Notes. The company consistently recommends that its customers diligently review and implement these notes to maintain the security posture of their SAP landscapes. Proactive patching remains a cornerstone of enterprise cybersecurity, especially for complex and widely deployed systems like SAP NetWeaver, which often handle the most sensitive business data.
SAP's July 2026 security patch day also addresses a critical HTTP request smuggling vulnerability in Approuter (CVE-2026-27690) and a hardcoded credential issue in Commerce Cloud (CVE-2026-44761). The Approuter flaw allows unauthenticated attackers to manipulate HTTP requests, while the Commerce Cloud vulnerability stems from insecure sample configuration scripts that could grant unauthorized API access. Additionally, a previously patched NetWeaver vulnerability received an update for broader package support.