CVE-2026-54118
Microsoft SQL Server Remote Code Execution Vulnerability
Description
Deserialization of untrusted data in SQL Server allows an authorized attacker to execute code over a network.
In plain language
AI Act nowCVE-2026-54118 is a Microsoft SQL Server weakness where a remote attacker can run arbitrary code if they can get an authorized foothold; most small businesses should treat this as high priority for patching.
CVE-2026-54118 is an unsafe deserialization issue in Microsoft SQL Server that allows an authorized attacker to execute arbitrary code remotely over the network (CWE-502).
What to do now
- Identify your Microsoft SQL Server version (including whether you run the 2016 SP3 GDR/Azure Connect Feature Pack, 2017 CU 31/GDR, 2019 CU 32/GDR, 2022 GDR, or 2025 CU 6/GDR).
- Compare your current build number to the fixed builds from Microsoft for CVE-2026-54118.
- Upgrade SQL Server to a fixed version: 13.0.6500.1, 13.0.7095.1, 14.0.3540.1, 14.0.2120.1, 15.0.4480.2, 15.0.2180.2, 16.0.1190.2, 16.0.4262.2, 17.0.4060.2, or 17.0.1125.2 (as applicable to your edition).
- After updating, verify the SQL Server build number reflects the patched level and re-check application/account access that could provide an attacker with “authorized” access.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:LPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
3 techniquesReferences
- Microsoft and Adobe Patch Tuesday, July 2026 Security Update Reviewen-us·Qualys Security Blog·
- Microsoft Patch Tuesday for July 2026 — Snort rules and prominent vulnerabilitiesen·Cisco Talos·
- Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attacken·The Hacker News·
- Microsoft Patch Tuesday July 2026 - The AI Acopolypse is Hereen·SANS Internet Storm Center·
- Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-daysen-us·BleepingComputer·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-54118 and every CVE in our database. Create a free account — no credit card required.
Create Free Account