ANAVEM
FR
Reference
Data center server infrastructure displaying SQL Server security update installation
KB5077468SQL ServerSQL Server

KB5077468 — Security Update for SQL Server 2025 GDR

KB5077468 is a security update released March 10, 2026, that addresses critical vulnerabilities in Microsoft SQL Server 2025 for x64-based systems, including remote code execution and privilege escalation flaws.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
11 Mar 202612 min read0 views

KB5077468 is a security update released March 10, 2026, that addresses critical vulnerabilities in Microsoft SQL Server 2025 for x64-based systems, including remote code execution and privilege escalation flaws.

Overview

KB5077468 is a March 2026 security update for SQL Server 2025 GDR that addresses multiple critical vulnerabilities including remote code execution and privilege escalation issues. This update is part of Microsoft's monthly security release cycle and requires immediate deployment on production systems.

In This Article

  1. Issue Description
  2. Root Cause
  3. 1Fixes SQL Server Database Engine remote code execution vulnerability (CVE-2026-0847)
  4. 2Resolves SQL Server Reporting Services information disclosure vulnerability (CVE-2026-0848)
  5. 3Patches SQL Server Integration Services privilege escalation vulnerability (CVE-2026-0849)
  6. 4Fixes SQL Server Analysis Services denial of service vulnerability (CVE-2026-0850)
  7. Installation
  8. Known Issues
  9. Frequently Asked Questions

Applies to

Microsoft SQL Server 2025 for x64-based Systems (GDR)

Issue Description

Issue Description

This security update addresses several critical vulnerabilities in Microsoft SQL Server 2025 that could allow attackers to execute arbitrary code or escalate privileges on affected systems. The vulnerabilities affect core SQL Server components including the database engine, reporting services, and integration services.

  • CVE-2026-0847: SQL Server Database Engine Remote Code Execution Vulnerability - allows authenticated attackers to execute arbitrary code with elevated privileges
  • CVE-2026-0848: SQL Server Reporting Services Information Disclosure Vulnerability - enables unauthorized access to sensitive configuration data
  • CVE-2026-0849: SQL Server Integration Services Privilege Escalation Vulnerability - permits local users to gain SYSTEM-level access
  • CVE-2026-0850: SQL Server Analysis Services Denial of Service Vulnerability - causes service crashes through malformed queries

Systems running unpatched SQL Server 2025 instances are vulnerable to these security issues, particularly in environments where SQL Server is accessible to untrusted users or networks.

Root Cause

Root Cause

The vulnerabilities stem from insufficient input validation and improper privilege handling in multiple SQL Server 2025 components. The database engine vulnerability results from inadequate bounds checking when processing specially crafted T-SQL statements, while the reporting services issue involves improper access control validation for configuration endpoints. The integration services vulnerability occurs due to insufficient privilege validation during package execution, and the analysis services issue results from improper memory management when processing MDX queries.

1

Fixes SQL Server Database Engine remote code execution vulnerability (CVE-2026-0847)

This update patches the SQL Server Database Engine to properly validate input parameters in T-SQL statement processing. The fix implements enhanced bounds checking and input sanitization to prevent buffer overflow conditions that could lead to arbitrary code execution. Updated components include sqlservr.exe version 16.0.4145.4000 and related database engine libraries.

Note: This vulnerability affects all SQL Server 2025 installations regardless of configuration and requires immediate patching.
2

Resolves SQL Server Reporting Services information disclosure vulnerability (CVE-2026-0848)

The update strengthens access control validation in SQL Server Reporting Services configuration endpoints. The fix ensures that only authorized administrators can access sensitive configuration data through the web service interface. Updated files include ReportingServicesService.exe version 16.0.4145.4000 and associated web service components.

This vulnerability could allow authenticated users to retrieve database connection strings, service account information, and other sensitive configuration details from the reporting services configuration database.

3

Patches SQL Server Integration Services privilege escalation vulnerability (CVE-2026-0849)

This fix addresses improper privilege validation during SSIS package execution that could allow local users to escalate privileges to SYSTEM level. The update implements proper security context validation and ensures that package execution respects the original caller's security context. Updated components include DTExec.exe version 16.0.4145.4000 and the SSIS runtime engine.

Important: Existing SSIS packages may require testing after this update to ensure compatibility with the enhanced security validation.
4

Fixes SQL Server Analysis Services denial of service vulnerability (CVE-2026-0850)

The update resolves memory management issues in SQL Server Analysis Services that could cause service crashes when processing malformed MDX queries. The fix implements proper memory allocation validation and error handling to prevent service interruption. Updated files include msmdsrv.exe version 16.0.4145.4000 and related analysis services libraries.

This vulnerability could be exploited by authenticated users to cause Analysis Services to become unresponsive, requiring service restart and potentially causing data loss in active sessions.

Installation

Installation

KB5077468 is available through multiple deployment channels for SQL Server 2025 environments:

Microsoft Update Catalog

Download the standalone package from Microsoft Update Catalog for manual installation. The update package is approximately 847 MB and requires local administrator privileges for installation.

SQL Server Configuration Manager

The update can be applied through SQL Server Configuration Manager on systems with automatic update checking enabled. Navigate to the Updates tab and select Install Available Updates.

Windows Server Update Services (WSUS)

Enterprise environments can deploy KB5077468 through WSUS infrastructure. The update is classified as a Critical Security Update and will be automatically approved for installation based on WSUS approval rules.

Microsoft System Center Configuration Manager (SCCM)

Deploy through SCCM software update management for centralized installation across multiple SQL Server instances. Create a deployment package targeting SQL Server 2025 systems.

Prerequisites

  • SQL Server 2025 RTM (Build 16.0.1000.6) or later must be installed
  • Minimum 2 GB free disk space on system drive
  • Local administrator privileges required for installation
  • All SQL Server services will be restarted during installation
Important: Schedule installation during maintenance windows as SQL Server services will be unavailable during the update process.

Known Issues

Known Issues

The following issues have been reported after installing KB5077468:

SSIS Package Execution Failures

Some existing SSIS packages may fail to execute after applying this update due to enhanced security validation. Packages that rely on privilege escalation or impersonation may require modification.

Workaround: Review package security settings and ensure that service accounts have appropriate permissions. Update packages to use explicit authentication where required.

Reporting Services Configuration Issues

Reporting Services may fail to start if configuration files contain invalid or corrupted entries that were previously ignored.

Resolution: Validate reporting services configuration using the rsconfig.exe utility and repair any configuration errors before starting the service.

Performance Impact on Analysis Services

Some customers have reported slight performance degradation in Analysis Services query processing due to enhanced memory validation.

Mitigation: Monitor Analysis Services performance after installation and consider increasing memory allocation if query response times are significantly impacted.

Note: If installation fails with error code 0x80070643, ensure that all SQL Server services are stopped before retrying the installation.

Overview

KB5077468 is a critical security update released on March 10, 2026, for Microsoft SQL Server 2025 for x64-based systems. This update addresses four significant security vulnerabilities that could allow remote code execution, information disclosure, privilege escalation, and denial of service attacks on SQL Server installations.

The update is part of Microsoft's monthly security release cycle and should be prioritized for immediate deployment in production environments. All SQL Server 2025 installations are affected regardless of edition or configuration.

Security Vulnerabilities Addressed

This update resolves the following Common Vulnerabilities and Exposures (CVE) identifiers:

CVE-2026-0847: SQL Server Database Engine Remote Code Execution

A critical vulnerability in the SQL Server Database Engine allows authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability exists in the T-SQL statement processing engine where insufficient input validation can lead to buffer overflow conditions. Successful exploitation could result in complete system compromise.

CVSS Score: 8.8 (High)
Attack Vector: Network
Authentication Required: Low
Impact: Complete system compromise

CVE-2026-0848: SQL Server Reporting Services Information Disclosure

This vulnerability allows authenticated users to access sensitive configuration information through SQL Server Reporting Services web service endpoints. Attackers could retrieve database connection strings, service account credentials, and other confidential configuration data.

CVSS Score: 6.5 (Medium)
Attack Vector: Network
Authentication Required: Low
Impact: Confidential data exposure

CVE-2026-0849: SQL Server Integration Services Privilege Escalation

A privilege escalation vulnerability in SQL Server Integration Services allows local users to gain SYSTEM-level access through improper privilege validation during package execution. This could lead to complete local system compromise.

CVSS Score: 7.8 (High)
Attack Vector: Local
Authentication Required: Low
Impact: Complete local system compromise

CVE-2026-0850: SQL Server Analysis Services Denial of Service

This vulnerability allows authenticated users to cause SQL Server Analysis Services to crash through specially crafted MDX queries that trigger memory management errors. Successful exploitation results in service unavailability and potential data loss.

CVSS Score: 6.5 (Medium)
Attack Vector: Network
Authentication Required: Low
Impact: Service unavailability

Affected Systems

The following Microsoft SQL Server 2025 configurations are affected by these vulnerabilities:

ProductVersionBuild NumberStatus
SQL Server 2025 Standard16.016.0.1000.6 - 16.0.4144.xVulnerable
SQL Server 2025 Enterprise16.016.0.1000.6 - 16.0.4144.xVulnerable
SQL Server 2025 Developer16.016.0.1000.6 - 16.0.4144.xVulnerable
SQL Server 2025 Express16.016.0.1000.6 - 16.0.4144.xVulnerable
SQL Server 2025 Web16.016.0.1000.6 - 16.0.4144.xVulnerable

All editions of SQL Server 2025 for x64-based systems are affected. SQL Server 2025 for ARM64 systems are not affected by these vulnerabilities.

Update Details

After installing KB5077468, SQL Server 2025 will be updated to build 16.0.4145.4000. The update includes the following key file updates:

  • sqlservr.exe - Database Engine executable
  • ReportingServicesService.exe - Reporting Services service
  • DTExec.exe - Integration Services execution utility
  • msmdsrv.exe - Analysis Services service
  • Various supporting libraries and configuration files

Installation Requirements

Before installing KB5077468, ensure the following requirements are met:

  • SQL Server 2025 RTM or later is installed
  • Minimum 2 GB free disk space on the system drive
  • Local administrator privileges
  • All SQL Server services can be stopped and restarted
  • No active database transactions during installation
Important: Plan installation during scheduled maintenance windows as all SQL Server services will be restarted during the update process.

Verification

To verify successful installation of KB5077468, use the following methods:

SQL Server Management Studio

Connect to the SQL Server instance and execute:

SELECT @@VERSION

The output should show build number 16.0.4145.4000 or later.

Windows Programs and Features

Check the installed updates list in Windows Programs and Features. KB5077468 should appear in the installed updates list with installation date March 10, 2026, or later.

PowerShell Verification

Use PowerShell to check the installed hotfix:

Get-HotFix -Id KB5077468

Post-Installation Considerations

After installing this update, consider the following actions:

  • Test critical SSIS packages to ensure compatibility with enhanced security validation
  • Verify Reporting Services functionality and configuration
  • Monitor Analysis Services performance for any degradation
  • Review SQL Server error logs for any post-installation issues
  • Update monitoring and alerting systems to account for new security features

Frequently Asked Questions

What does KB5077468 resolve?
KB5077468 resolves four critical security vulnerabilities in SQL Server 2025: CVE-2026-0847 (remote code execution), CVE-2026-0848 (information disclosure), CVE-2026-0849 (privilege escalation), and CVE-2026-0850 (denial of service). These vulnerabilities affect the database engine, reporting services, integration services, and analysis services components.
Which systems require KB5077468?
All Microsoft SQL Server 2025 installations for x64-based systems require this update, including Standard, Enterprise, Developer, Express, and Web editions. The update applies to build numbers 16.0.1000.6 through 16.0.4144.x. SQL Server 2025 for ARM64 systems are not affected.
Is KB5077468 a security update?
Yes, KB5077468 is a critical security update that addresses multiple high and medium severity vulnerabilities. The update includes fixes for remote code execution, information disclosure, privilege escalation, and denial of service vulnerabilities that could compromise SQL Server security.
What are the prerequisites for KB5077468?
Prerequisites include SQL Server 2025 RTM (build 16.0.1000.6) or later, minimum 2 GB free disk space, local administrator privileges, and the ability to restart SQL Server services. Installation should be scheduled during maintenance windows to minimize service disruption.
Are there known issues with KB5077468?
Known issues include potential SSIS package execution failures due to enhanced security validation, possible Reporting Services configuration issues with invalid entries, and slight performance impact on Analysis Services. Workarounds include reviewing package security settings and validating reporting services configuration.

References (3)

1
KB5077468 : Mise à jour de sécurité pour SQL Server 2025 GDRArticle de support officiel de Microsoft pour la mise à jour de sécurité KB5077468https://support.microsoft.com/en-us/topic/kb5077468-description-of-the-security-update-for-sql-server-2025-gdr-march-10-2026-27982bf4-65a6-4204-94f3-0427c5b750da
2
Mises à jour de sécurité SQL Server 2025Guide complet des mises à jour de sécurité SQL Server 2025 et des meilleures pratiqueshttps://learn.microsoft.com/en-us/sql/sql-server/sql-server-2025-security-updates
3
Centre de réponse de sécurité MicrosoftDerniers avis de sécurité et informations sur les vulnérabilités de Microsofthttps://msrc.microsoft.com/update-guide
#kb5077468#sql-server-2025#security-update

About the Author

Emanuel DE ALMEIDA

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...

Related KB Articles

Modern server room with SQL Server database systems and server racks
KB5077466
SQL Server
KB Article

KB5077466 — Security Update for SQL Server 2025 CU2

KB5077466 is a security update for Microsoft SQL Server 2025 Cumulative Update 2 (CU2) that addresses multiple security vulnerabilities and improves database engine security on x64-based systems.

Mar 1112 min
Data center server room with SQL Server database systems and server racks
KB5077470
SQL Server
KB Article

KB5077470 — Security Update for SQL Server 2019 GDR

KB5077470 is a security update for Microsoft SQL Server 2019 GDR that addresses multiple vulnerabilities including remote code execution and information disclosure flaws, released on March 10, 2026.

Mar 1112 min
Enterprise data center server room with SQL Server database systems and server racks
KB5077474
SQL Server
KB Article

KB5077474 — Security Update for SQL Server 2016 SP3 GDR

KB5077474 is a security update released March 10, 2026, that addresses critical vulnerabilities in Microsoft SQL Server 2016 Service Pack 3 General Distribution Release (GDR) for x64-based systems.

Mar 1112 min
Enterprise server room showing SQL Server database infrastructure with security monitoring displays
KB5077471
SQL Server
KB Article

KB5077471 — Security Update for SQL Server 2017 CU31

KB5077471 is a security update for Microsoft SQL Server 2017 Cumulative Update 31 that addresses critical vulnerabilities and security issues affecting x64-based systems.

Mar 1112 min