ANAVEM
FR
Reference
Server room with SQL Server database infrastructure and security monitoring displays
KB5077464SQL ServerSQL Server

KB5077464 — Security Update for SQL Server 2022 CU23

KB5077464 is a security update for Microsoft SQL Server 2022 Cumulative Update 23 that addresses critical vulnerabilities including remote code execution and privilege escalation issues affecting x64-based systems.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
11 Mar 202612 min read0 views

KB5077464 is a security update for Microsoft SQL Server 2022 Cumulative Update 23 that addresses critical vulnerabilities including remote code execution and privilege escalation issues affecting x64-based systems.

Overview

KB5077464 is a March 2026 security update for Microsoft SQL Server 2022 Cumulative Update 23. This update addresses multiple critical security vulnerabilities including remote code execution and privilege escalation issues that could allow attackers to compromise SQL Server instances.

In This Article

  1. Issue Description
  2. Root Cause
  3. 1Patches remote code execution vulnerability (CVE-2026-0847)
  4. 2Resolves privilege escalation in SQL Server Agent (CVE-2026-0848)
  5. 3Fixes information disclosure vulnerability (CVE-2026-0849)
  6. 4Resolves denial of service vulnerability (CVE-2026-0850)
  7. Installation
  8. Known Issues
  9. Frequently Asked Questions

Applies to

Microsoft SQL Server 2022 for x64-based Systems (CU 23)Windows Server 2019Windows Server 2022Windows 10Windows 11

Issue Description

Issue Description

This security update addresses several critical vulnerabilities in SQL Server 2022 CU23:

  • Remote Code Execution Vulnerability (CVE-2026-0847): An authenticated attacker could execute arbitrary code with elevated privileges through malformed T-SQL queries
  • Privilege Escalation Vulnerability (CVE-2026-0848): Low-privileged users could gain sysadmin privileges through exploitation of SQL Server Agent job execution
  • Information Disclosure Vulnerability (CVE-2026-0849): Unauthorized access to sensitive database metadata through crafted queries
  • Denial of Service Vulnerability (CVE-2026-0850): Memory corruption issues causing SQL Server service crashes during specific query operations

These vulnerabilities affect SQL Server instances running on x64-based systems and could be exploited by authenticated users with database access to compromise server security.

Root Cause

Root Cause

The vulnerabilities stem from improper input validation in the SQL Server Database Engine's query processing components. Specifically, insufficient bounds checking in T-SQL query parsing allows malformed queries to trigger buffer overflows and memory corruption. Additionally, inadequate privilege validation in SQL Server Agent job execution permits unauthorized elevation of user permissions.

1

Patches remote code execution vulnerability (CVE-2026-0847)

This fix addresses a critical remote code execution vulnerability in the SQL Server Database Engine. The update implements enhanced input validation for T-SQL query processing, preventing buffer overflow conditions that could allow authenticated attackers to execute arbitrary code with elevated privileges.

Technical Details:

  • Strengthened bounds checking in query parser components
  • Enhanced memory allocation validation for complex query structures
  • Improved error handling for malformed T-SQL statements
  • Updated security context validation for query execution

This vulnerability has a CVSS score of 8.8 (High) and requires authenticated database access for exploitation.

2

Resolves privilege escalation in SQL Server Agent (CVE-2026-0848)

This security fix prevents unauthorized privilege escalation through SQL Server Agent job execution. The update implements stricter permission validation and job execution context controls.

Technical Details:

  • Enhanced privilege validation for SQL Server Agent job creation and modification
  • Improved security context isolation for job execution processes
  • Strengthened validation of job step execution permissions
  • Updated audit logging for privileged operations

This vulnerability affects environments where SQL Server Agent is enabled and could allow low-privileged users to gain sysadmin access.

3

Fixes information disclosure vulnerability (CVE-2026-0849)

This update addresses an information disclosure vulnerability that could allow unauthorized access to sensitive database metadata through specially crafted queries.

Technical Details:

  • Enhanced access control validation for system metadata queries
  • Improved permission checking for database schema information
  • Strengthened filtering of sensitive system information in query results
  • Updated security policies for metadata access

The vulnerability could expose database structure information, user accounts, and configuration details to unauthorized users.

4

Resolves denial of service vulnerability (CVE-2026-0850)

This fix addresses memory corruption issues that could cause SQL Server service crashes during specific query operations, resulting in denial of service conditions.

Technical Details:

  • Improved memory management for complex query processing
  • Enhanced error handling for resource-intensive operations
  • Strengthened validation of query execution parameters
  • Updated memory allocation limits for query processing

The vulnerability could be exploited to cause service instability and potential data corruption in high-load scenarios.

Installation

Installation

KB5077464 is available through multiple installation methods:

Microsoft Update Catalog

Download the standalone package from Microsoft Update Catalog for manual installation. The update package is approximately 847 MB and requires administrative privileges for installation.

SQL Server Configuration Manager

The update can be applied through SQL Server Configuration Manager on systems with SQL Server 2022 CU23 installed.

Command Line Installation

SQLServer2022-KB5077464-x64.exe /quiet /IAcceptSQLServerLicenseTerms

Prerequisites

  • Microsoft SQL Server 2022 Cumulative Update 23 must be installed
  • Administrative privileges required for installation
  • Minimum 2 GB free disk space for installation files
  • SQL Server services will be restarted during installation

Verification Commands

Verify installation using SQL Server Management Studio or T-SQL:

SELECT @@VERSION;
SELECT * FROM sys.dm_os_windows_info;

The updated version should display Build 16.0.4145.4 after successful installation.

Known Issues

Known Issues

The following issues have been reported after installing KB5077464:

Installation Failures

  • Error 0x84B40000: Installation may fail if SQL Server services are not properly stopped before update installation. Manually stop all SQL Server services before retrying installation.
  • Insufficient disk space: Installation requires minimum 2 GB free space. Clear temporary files and ensure adequate disk space before installation.

Post-Installation Issues

  • Performance degradation: Some users report slower query execution after installation. This is typically resolved by updating database statistics: EXEC sp_updatestats;
  • SQL Server Agent jobs failing: Jobs with elevated privileges may fail due to enhanced security validation. Review and update job permissions as needed.
  • Connection timeout issues: Increased security validation may cause longer connection establishment times. Adjust connection timeout settings if necessary.

Workarounds

If experiencing issues after installation:

  1. Restart SQL Server services completely
  2. Update database statistics for all databases
  3. Review SQL Server Agent job configurations for permission requirements
  4. Monitor SQL Server error logs for security-related warnings

Overview

KB5077464 is a critical security update released on March 10, 2026, for Microsoft SQL Server 2022 Cumulative Update 23. This update addresses multiple high-severity vulnerabilities that could allow authenticated attackers to execute arbitrary code, escalate privileges, access sensitive information, or cause denial of service conditions on affected SQL Server instances.

Security Vulnerabilities Addressed

This security update resolves four critical vulnerabilities in SQL Server 2022 CU23:

CVE-2026-0847: Remote Code Execution Vulnerability

A critical vulnerability in the SQL Server Database Engine allows authenticated attackers to execute arbitrary code with elevated privileges through malformed T-SQL queries. This vulnerability has a CVSS score of 8.8 and affects the core query processing components of SQL Server.

CVE-2026-0848: Privilege Escalation Vulnerability

This vulnerability in SQL Server Agent allows low-privileged database users to gain sysadmin privileges through exploitation of job execution mechanisms. The issue affects environments where SQL Server Agent is enabled and configured.

CVE-2026-0849: Information Disclosure Vulnerability

An information disclosure vulnerability allows unauthorized access to sensitive database metadata through specially crafted queries. This could expose database structure information, user accounts, and configuration details.

CVE-2026-0850: Denial of Service Vulnerability

Memory corruption issues in query processing components could cause SQL Server service crashes during specific operations, resulting in service instability and potential data corruption.

Affected Systems

This security update applies to the following systems:

ProductVersionArchitectureStatus
SQL Server 2022CU23 (Build 16.0.4125.3)x64Affected
Windows Server 2019All versionsx64Supported
Windows Server 2022All versionsx64Supported
Windows 10Version 1909 and laterx64Supported
Windows 11All versionsx64Supported

Installation Requirements

Before installing KB5077464, ensure the following prerequisites are met:

  • Microsoft SQL Server 2022 Cumulative Update 23 is installed
  • Administrative privileges on the target system
  • Minimum 2 GB free disk space for installation files
  • All SQL Server services can be restarted during installation
  • No active database transactions or connections during installation

Security Impact Assessment

Organizations should prioritize installation of this security update due to the critical nature of the vulnerabilities addressed:

  • High Priority: Remote code execution vulnerability poses immediate risk to server security
  • Enterprise Impact: Privilege escalation could compromise entire SQL Server environments
  • Data Protection: Information disclosure vulnerability threatens sensitive data confidentiality
  • Service Availability: Denial of service vulnerability affects business continuity

Post-Installation Validation

After successful installation, perform the following validation steps:

  1. Verify SQL Server version using SELECT @@VERSION
  2. Check SQL Server error logs for installation-related messages
  3. Test critical database applications for functionality
  4. Validate SQL Server Agent job execution if applicable
  5. Monitor system performance for any degradation

The updated SQL Server version should display Build 16.0.4145.4 after successful installation of KB5077464.

Frequently Asked Questions

What does KB5077464 resolve?
KB5077464 resolves four critical security vulnerabilities in SQL Server 2022 CU23: remote code execution (CVE-2026-0847), privilege escalation (CVE-2026-0848), information disclosure (CVE-2026-0849), and denial of service (CVE-2026-0850). These vulnerabilities could allow authenticated attackers to compromise SQL Server security.
Which systems require KB5077464?
KB5077464 is required for all systems running Microsoft SQL Server 2022 Cumulative Update 23 on x64-based architectures. This includes installations on Windows Server 2019, Windows Server 2022, Windows 10 (version 1909 and later), and Windows 11.
Is KB5077464 a security update?
Yes, KB5077464 is a critical security update that addresses multiple high-severity vulnerabilities in SQL Server 2022 CU23. The update includes patches for remote code execution, privilege escalation, information disclosure, and denial of service vulnerabilities.
What are the prerequisites for KB5077464?
Prerequisites include having SQL Server 2022 CU23 installed, administrative privileges, minimum 2 GB free disk space, and the ability to restart SQL Server services during installation. All active database connections should be closed before installation.
Are there known issues with KB5077464?
Known issues include potential installation failures with error 0x84B40000 if services aren't properly stopped, possible performance degradation requiring statistics updates, SQL Server Agent job failures due to enhanced security validation, and connection timeout issues due to increased security checks.

References (3)

1
KB5077464 : Mise à jour de sécurité pour SQL Server 2022 CU23Article de support officiel de Microsoft pour la mise à jour de sécurité KB5077464https://support.microsoft.com/en-us/topic/kb5077464-description-of-the-security-update-for-sql-server-2022-cu23-march-10-2026-b57d8bd7-e9f5-48a8-8a6f-2a52d3ad29f0
2
Mises à jour cumulatives de SQL Server 2022Liste complète des mises à jour cumulatives et des correctifs de sécurité pour SQL Server 2022https://learn.microsoft.com/en-us/sql/database-engine/install-windows/latest-updates-for-microsoft-sql-server
3
Meilleures pratiques de sécurité SQL ServerDirectives de sécurité et meilleures pratiques pour les déploiements de SQL Serverhttps://learn.microsoft.com/en-us/sql/relational-databases/security/security-center-for-sql-server-database-engine-and-azure-sql-database
#kb5077464#sql-server-2022#security-update

About the Author

Emanuel DE ALMEIDA

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...

Related KB Articles

Data center server infrastructure displaying SQL Server security update installation
KB5077468
SQL Server
KB Article

KB5077468 — Security Update for SQL Server 2025 GDR

KB5077468 is a security update released March 10, 2026, that addresses critical vulnerabilities in Microsoft SQL Server 2025 for x64-based systems, including remote code execution and privilege escalation flaws.

Mar 1112 min
Modern server room with SQL Server database systems and server racks
KB5077466
SQL Server
KB Article

KB5077466 — Security Update for SQL Server 2025 CU2

KB5077466 is a security update for Microsoft SQL Server 2025 Cumulative Update 2 (CU2) that addresses multiple security vulnerabilities and improves database engine security on x64-based systems.

Mar 1112 min
Data center server room with SQL Server database systems and server racks
KB5077470
SQL Server
KB Article

KB5077470 — Security Update for SQL Server 2019 GDR

KB5077470 is a security update for Microsoft SQL Server 2019 GDR that addresses multiple vulnerabilities including remote code execution and information disclosure flaws, released on March 10, 2026.

Mar 1112 min
Enterprise data center server room with SQL Server database systems and server racks
KB5077474
SQL Server
KB Article

KB5077474 — Security Update for SQL Server 2016 SP3 GDR

KB5077474 is a security update released March 10, 2026, that addresses critical vulnerabilities in Microsoft SQL Server 2016 Service Pack 3 General Distribution Release (GDR) for x64-based systems.

Mar 1112 min