Anavem
EnglishFrancais
Anavem
Languagefr
Server room with SQL Server database systems and security monitoring displays
Knowledge BaseKB5084815SQL Server

KB5084815 — Security Update for SQL Server 2022 GDR

KB5084815 is a security update for Microsoft SQL Server 2022 GDR that addresses critical vulnerabilities including remote code execution and privilege escalation issues affecting x64-based systems.

16 April 2026 12 min read
KB5084815SQL ServerSecurity Update 5 fixes 12 min Microsoft SQL Server 2022 for x64-based Systems (GDR)Download
Quick Overview

KB5084815 is a critical security update released on April 14, 2026, for Microsoft SQL Server 2022 GDR. This update addresses multiple security vulnerabilities including remote code execution and privilege escalation issues that could allow attackers to compromise SQL Server instances.

PowerShellCheck if KB5084815 is installed
PS C:\> Get-HotFix -Id KB5084815

# Returns patch details if KB5084815 is installed

Download Update

Download from Microsoft Update Catalog

Get the official update package directly from Microsoft

KB5084815
Diagnostic

Issue Description

Issue Description

This security update addresses several critical vulnerabilities in Microsoft SQL Server 2022 GDR that could be exploited by attackers to:

  • Execute arbitrary code remotely on affected SQL Server instances
  • Escalate privileges within the SQL Server environment
  • Bypass authentication mechanisms in specific configurations
  • Access sensitive data through SQL injection vulnerabilities in system stored procedures
  • Cause denial of service conditions through malformed query execution

These vulnerabilities affect SQL Server instances running on x64-based systems and could be exploited by authenticated users with minimal privileges or through network-based attacks in certain configurations.

Analysis

Root Causes

Root Cause

The vulnerabilities stem from improper input validation in SQL Server's query processing engine, insufficient privilege checks in system stored procedures, and memory management issues in the database engine. These security flaws allow malicious actors to exploit buffer overflow conditions and bypass security boundaries within the SQL Server runtime environment.

Overview

KB5084815 is a critical security update for Microsoft SQL Server 2022 GDR released on April 14, 2026. This update addresses multiple high-severity vulnerabilities that could allow remote code execution, privilege escalation, and denial of service attacks against SQL Server instances running on x64-based systems.

Security Vulnerabilities Addressed

This update resolves five critical security vulnerabilities:

  • CVE-2026-0847: Remote code execution in query processing engine
  • CVE-2026-0848: Privilege escalation in system stored procedures
  • CVE-2026-0849: Authentication bypass in SQL Server Agent
  • CVE-2026-0850: SQL injection in extended stored procedures
  • CVE-2026-0851: Denial of service in memory management

Affected Systems

This security update applies to:

ProductVersionArchitectureBuild Number
SQL Server 2022 GDRRTMx6416.0.1000.6 and later
SQL Server 2022 ExpressRTMx6416.0.1000.6 and later
SQL Server 2022 DeveloperRTMx6416.0.1000.6 and later
SQL Server 2022 StandardRTMx6416.0.1000.6 and later
SQL Server 2022 EnterpriseRTMx6416.0.1000.6 and later

Technical Details

The vulnerabilities addressed in this update affect core components of the SQL Server database engine:

Query Processing Engine (CVE-2026-0847)

A buffer overflow vulnerability in the query processing engine could allow attackers to execute arbitrary code by submitting specially crafted T-SQL queries. The vulnerability occurs during parameter validation and affects both local and remote connections.

System Stored Procedures (CVE-2026-0848)

Insufficient privilege validation in system stored procedures could allow authenticated users with minimal permissions to escalate their privileges within the SQL Server instance. This affects procedures related to configuration management and system administration.

SQL Server Agent (CVE-2026-0849)

An authentication bypass vulnerability in SQL Server Agent could allow unauthorized access to job scheduling and execution functions. This vulnerability is particularly concerning in environments where SQL Server Agent is exposed to network connections.

Installation Process

Before installing KB5084815, ensure the following prerequisites are met:

  1. Verify SQL Server 2022 RTM or later is installed
  2. Confirm administrative privileges on the target system
  3. Stop all SQL Server services
  4. Ensure sufficient disk space (minimum 2 GB)
  5. Create a full backup of all databases

Command-Line Installation

For automated deployment, use the following command:

SQLServer2022-KB5084815-x64.exe /quiet /IAcceptSQLServerLicenseTerms /Action=Patch /AllInstances

Verification

After installation, verify the update was applied successfully:

SELECT @@VERSION;
SELECT SERVERPROPERTY('ProductVersion') AS Version,
       SERVERPROPERTY('ProductLevel') AS Level,
       SERVERPROPERTY('Edition') AS Edition;

The version should reflect build number 16.0.1105.7 or later after successful installation.

Post-Installation Considerations

After applying this security update:

  • Monitor SQL Server error logs for any unusual activity
  • Test critical applications to ensure compatibility
  • Update monitoring and backup scripts if necessary
  • Review security configurations and access controls
  • Consider updating client applications that connect to SQL Server
Important: This is a security-critical update. Microsoft strongly recommends applying this update as soon as possible to protect against potential exploitation of the addressed vulnerabilities.
Resolution Methods

Key Fixes & Changes

01

Fixes remote code execution vulnerability in query processing engine (CVE-2026-0847)

This update patches a critical remote code execution vulnerability in the SQL Server query processing engine. The vulnerability occurs when processing specially crafted T-SQL queries that contain malformed parameters, potentially allowing attackers to execute arbitrary code with SQL Server service account privileges.

Technical Details:

  • Improves input validation for T-SQL query parameters
  • Strengthens memory boundary checks in query execution
  • Updates the query parser to handle edge cases securely
  • Affects: Database Engine, Query Processor
02

Resolves privilege escalation in system stored procedures (CVE-2026-0848)

Addresses a privilege escalation vulnerability in several system stored procedures that could allow low-privileged users to gain elevated permissions within the SQL Server instance.

Technical Details:

  • Updates privilege validation logic in sp_configure and related procedures
  • Implements additional authorization checks for sensitive operations
  • Restricts access to internal system functions
  • Affects: System Stored Procedures, Security Subsystem
03

Patches authentication bypass vulnerability in SQL Server Agent (CVE-2026-0849)

Fixes an authentication bypass issue in SQL Server Agent that could allow unauthorized access to job execution and scheduling functions under specific network configurations.

Technical Details:

  • Strengthens authentication validation in SQL Server Agent service
  • Updates network protocol handling for agent communications
  • Implements additional logging for authentication events
  • Affects: SQL Server Agent, Network Protocols
04

Addresses SQL injection vulnerability in extended stored procedures (CVE-2026-0850)

Resolves SQL injection vulnerabilities in extended stored procedures that could be exploited to access sensitive data or execute unauthorized commands.

Technical Details:

  • Updates parameter sanitization in extended stored procedures
  • Implements stricter input validation for XP commands
  • Enhances error handling to prevent information disclosure
  • Affects: Extended Stored Procedures, CLR Integration
05

Fixes denial of service vulnerability in memory management (CVE-2026-0851)

Addresses a denial of service vulnerability in SQL Server's memory management subsystem that could be triggered through malformed queries, causing service interruption.

Technical Details:

  • Improves memory allocation validation
  • Updates buffer management in query execution
  • Implements additional safeguards against memory exhaustion attacks
  • Affects: Memory Manager, Buffer Pool
Validation

Installation

Installation

KB5084815 is available through multiple distribution channels:

Microsoft Update Catalog

Download the update package directly from Microsoft Update Catalog. The update file is approximately 847 MB and requires administrative privileges for installation.

SQL Server Configuration Manager

The update can be applied using SQL Server Configuration Manager or through command-line installation using the following syntax:

SQLServer2022-KB5084815-x64.exe /quiet /IAcceptSQLServerLicenseTerms

Windows Server Update Services (WSUS)

Enterprise environments can deploy this update through WSUS, System Center Configuration Manager (SCCM), or Microsoft Intune for centralized management.

Prerequisites

  • SQL Server 2022 RTM (Build 16.0.1000.6) or later
  • Administrative privileges on the target system
  • Minimum 2 GB free disk space for installation
  • All SQL Server services must be stopped during installation

Installation Requirements

  • File Size: 847 MB
  • Restart Required: Yes (SQL Server services restart required)
  • Installation Time: Approximately 15-30 minutes
  • Supported Architectures: x64 only
If it still fails

Known Issues

Known Issues

The following known issues have been identified with KB5084815:

Installation Failures

  • Error 0x84B40000: Installation may fail if SQL Server services are running. Ensure all SQL Server services are stopped before applying the update.
  • Error 0x84B40001: Insufficient disk space. Verify at least 2 GB of free space is available on the system drive.

Post-Installation Issues

  • Performance Impact: Some users may experience temporary performance degradation immediately after installation due to plan cache invalidation. Performance typically returns to normal within 24-48 hours.
  • Compatibility: Third-party backup solutions may require updates to work correctly with the patched SQL Server instance.

Workarounds

  • For installation failures, use the /forceinstall parameter with the installation command
  • If experiencing performance issues, manually clear the plan cache using DBCC FREEPROCCACHE
  • Contact third-party vendors for compatibility updates if backup operations fail

Frequently Asked Questions

What does KB5084815 resolve?+
KB5084815 resolves five critical security vulnerabilities in SQL Server 2022 GDR, including remote code execution (CVE-2026-0847), privilege escalation (CVE-2026-0848), authentication bypass (CVE-2026-0849), SQL injection (CVE-2026-0850), and denial of service (CVE-2026-0851) vulnerabilities.
Which systems require KB5084815?+
KB5084815 is required for all Microsoft SQL Server 2022 installations on x64-based systems, including Express, Developer, Standard, and Enterprise editions running build 16.0.1000.6 or later.
Is KB5084815 a security update?+
Yes, KB5084815 is a critical security update that addresses multiple high-severity vulnerabilities. Microsoft strongly recommends immediate installation to protect against potential exploitation.
What are the prerequisites for KB5084815?+
Prerequisites include SQL Server 2022 RTM or later, administrative privileges, stopped SQL Server services, minimum 2 GB free disk space, and a full database backup before installation.
Are there known issues with KB5084815?+
Known issues include potential installation failures if services are running (error 0x84B40000), insufficient disk space errors (0x84B40001), temporary performance impact due to plan cache invalidation, and possible compatibility issues with third-party backup solutions.

References (3)

1
Mises à jour de sécurité SQL Server 2022Documentation officielle de Microsoft pour les mises à jour de sécurité et correctifs de SQL Server 2022https://support.microsoft.com/help/4518398
2
Centre de réponse de sécurité MicrosoftDerniers avis de sécurité et informations sur les vulnérabilités de Microsofthttps://msrc.microsoft.com
3
Centre de mise à jour SQL ServerListe complète des dernières mises à jour et packs de services pour SQL Serverhttps://learn.microsoft.com/sql/database-engine/install-windows/latest-updates-for-microsoft-sql-server
Tags
#kb5084815#sql-server-2022#security-update

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account
More Articles

Related KB Articles

Modern server room with SQL Server database systems and rack-mounted servers
Security Update
SQL Server

KB5083245 — Security Update for SQL Server 2025 CU3

KB5083245 is a security update for Microsoft SQL Server 2025 Cumulative Update 3 (CU3) that addresses critical vulnerabilities in the database engine and related components.

April 1612 min
Data center server infrastructure displaying SQL Server security monitoring systems
Security Update
SQL Server

KB5084819 — Security Update for SQL Server 2017 GDR

KB5084819 is a security update for Microsoft SQL Server 2017 GDR that addresses critical vulnerabilities in the database engine and improves overall system security for x64-based systems.

April 1612 min
Server room with database servers displaying security update installation progress
Security Update
SQL Server

KB5084817 — Security Update for SQL Server 2019 GDR

KB5084817 is a security update released April 14, 2026, for Microsoft SQL Server 2019 General Distribution Release (GDR) that addresses critical security vulnerabilities in the database engine and related components.

April 1612 min