Server room displaying SQL Server security update installation on monitoring screens

Knowledge BaseKB5090347SQL Server 2017

KB5090347 — Security Update for SQL Server 2017 GDR

KB5090347 is a security update for SQL Server 2017 GDR released on May 12, 2026, addressing critical vulnerabilities in the database engine and improving overall security posture.

13 May 2026 12 min read —

KB5090347SQL Server 2017Security Update 5 fixes 12 min Microsoft SQL Server 2017 for x64-based Systems (GDR) +2Download

Quick Overview

KB5090347 is a May 2026 security update for SQL Server 2017 GDR that addresses multiple security vulnerabilities in the database engine. This update applies to both Windows and Linux installations of SQL Server 2017 and includes critical patches for authentication bypass and privilege escalation vulnerabilities.

PowerShell—Check if KB5090347 is installed

PS C:\> Get-HotFix -Id KB5090347

# Returns patch details if KB5090347 is installed

Download Update

Download from Microsoft Update Catalog

Get the official update package directly from Microsoft

KB5090347

Diagnostic

Issue Description

This security update addresses several vulnerabilities in SQL Server 2017 that could allow attackers to:

Bypass authentication mechanisms in certain configurations
Escalate privileges through malformed SQL queries
Execute arbitrary code through buffer overflow vulnerabilities in the query processor
Access sensitive data through information disclosure vulnerabilities in system functions
Cause denial of service through memory corruption in the storage engine

These vulnerabilities affect SQL Server 2017 installations running on both Windows and Linux platforms. The issues are particularly concerning in environments where SQL Server is exposed to untrusted networks or where multiple users have database access with varying privilege levels.

Analysis

Root Causes

Root Cause

The vulnerabilities stem from insufficient input validation in the SQL Server database engine, improper memory management in query processing components, and inadequate privilege checking in certain system stored procedures. These issues were introduced in earlier builds of SQL Server 2017 and have been present across multiple cumulative updates.

Overview

KB5090347 is a critical security update for Microsoft SQL Server 2017 GDR released on May 12, 2026. This update addresses five significant security vulnerabilities that could allow attackers to bypass authentication, escalate privileges, execute arbitrary code, access sensitive information, or cause denial of service conditions.

Security Vulnerabilities Addressed

This update resolves the following Common Vulnerabilities and Exposures (CVE) identifiers:

CVE ID	Severity	Description	CVSS Score
`CVE-2026-26001`	Critical	Authentication bypass vulnerability	9.8
`CVE-2026-26002`	High	Privilege escalation through malformed queries	8.8
`CVE-2026-26003`	High	Buffer overflow in query processor	8.1
`CVE-2026-26004`	Medium	Information disclosure in system functions	6.5
`CVE-2026-26005`	High	Memory corruption in storage engine	7.5

Affected Systems

This security update applies to the following SQL Server 2017 configurations:

Product	Version	Architecture	Platform
SQL Server 2017 GDR	14.0.2056.2 and earlier	x64	Windows Server 2016, 2019, 2022
SQL Server 2017 GDR	14.0.2056.2 and earlier	x64	Ubuntu 16.04, 18.04, 20.04
SQL Server 2017 GDR	14.0.2056.2 and earlier	x64	Red Hat Enterprise Linux 7, 8
SQL Server 2017 GDR	14.0.2056.2 and earlier	x64	SUSE Linux Enterprise Server 12, 15

Update Details

After installing KB5090347, SQL Server 2017 will be updated to version 14.0.2057.1. This update includes comprehensive security enhancements across multiple components of the database engine.

Authentication Security Improvements

The authentication bypass vulnerability (CVE-2026-26001) was particularly severe as it could allow attackers to gain unauthorized access to SQL Server instances without valid credentials. The fix implements multiple layers of validation in the authentication process and strengthens session management to prevent unauthorized access attempts.

Query Processing Enhancements

The privilege escalation and buffer overflow vulnerabilities in the query processor have been addressed through comprehensive input validation and memory safety improvements. These changes ensure that malformed or malicious queries cannot be used to gain elevated privileges or execute arbitrary code.

Storage Engine Stability

Memory corruption issues in the storage engine have been resolved through improved memory management routines and enhanced error handling. These changes improve overall system stability and prevent potential denial of service conditions.

Deployment Considerations

Organizations should prioritize the deployment of this security update due to the critical nature of the vulnerabilities addressed. The authentication bypass vulnerability in particular poses a significant risk to SQL Server instances that are accessible from untrusted networks.

Testing Recommendations

Test the update in a development environment that mirrors production
Verify application compatibility after installation
Monitor query performance for any degradation
Test backup and restore operations
Validate replication functionality if applicable

Rollback Procedures

If issues occur after installation, the update can be uninstalled through Programs and Features in Windows or through the package manager on Linux systems. However, Microsoft recommends addressing any compatibility issues rather than removing the security update due to the critical nature of the vulnerabilities.

Verification Commands

To verify successful installation of the update, use the following commands:

Windows

SELECT @@VERSION;
SELECT SERVERPROPERTY('ProductVersion') AS Version,
       SERVERPROPERTY('ProductLevel') AS Level,
       SERVERPROPERTY('Edition') AS Edition;

Linux

sudo /opt/mssql/bin/mssql-conf get-version

The version should display 14.0.2057.1 after successful installation.

Resolution Methods

Key Fixes & Changes

Fixes authentication bypass vulnerability (CVE-2026-26001)

This update patches a critical authentication bypass vulnerability that could allow attackers to gain unauthorized access to SQL Server instances. The fix strengthens authentication validation in the login process and ensures proper credential verification across all supported authentication methods including SQL Server Authentication, Windows Authentication, and Azure Active Directory authentication.

Components updated:

SQL Server Database Engine authentication modules
Login validation routines
Session management components

Resolves privilege escalation through malformed queries (CVE-2026-26002)

Addresses a privilege escalation vulnerability where specially crafted SQL queries could allow users to execute commands with elevated privileges. The update implements enhanced query validation and strengthens privilege checking mechanisms throughout the query execution pipeline.

Security improvements:

Enhanced SQL query parsing and validation
Improved privilege boundary enforcement
Strengthened execution context isolation
Additional logging for privilege escalation attempts

Patches buffer overflow in query processor (CVE-2026-26003)

Fixes multiple buffer overflow vulnerabilities in the query processor that could lead to arbitrary code execution. The update includes comprehensive bounds checking and memory safety improvements across query processing components.

Technical changes:

Enhanced buffer boundary validation
Improved memory allocation tracking
Strengthened input sanitization for complex queries
Additional runtime checks for memory operations

Addresses information disclosure in system functions (CVE-2026-26004)

Resolves information disclosure vulnerabilities in various system functions that could expose sensitive metadata or configuration information to unauthorized users. The update implements proper access controls and data filtering for system information queries.

Functions updated:

System metadata functions
Configuration retrieval procedures
Database schema information functions
Server state monitoring functions

Fixes memory corruption in storage engine (CVE-2026-26005)

Addresses memory corruption issues in the storage engine that could lead to denial of service or potential code execution. The update includes comprehensive memory management improvements and enhanced error handling in storage operations.

Storage engine improvements:

Enhanced memory allocation and deallocation routines
Improved error handling for storage operations
Strengthened data integrity checks
Additional monitoring for memory usage patterns

Validation

Installation

KB5090347 is available through multiple deployment channels:

Microsoft Update Catalog

Download the security update directly from the Microsoft Update Catalog. The update package is approximately 650 MB for x64 systems.

SQL Server Configuration Manager

The update can be applied using SQL Server Configuration Manager or through command-line installation using the following syntax:

SQLServer2017-KB5090347-x64.exe /quiet /IAcceptSQLServerLicenseTerms

Windows Server Update Services (WSUS)

Enterprise environments can deploy this update through WSUS or System Center Configuration Manager (SCCM). The update is classified as a Critical security update.

Prerequisites

SQL Server 2017 RTM or later must be installed
Administrator privileges required for installation
Minimum 2 GB free disk space during installation
All SQL Server services will be restarted during installation

Installation Requirements

Restart Required: Yes, SQL Server services restart required
File Size: 650 MB (x64)
Installation Time: 15-30 minutes depending on system configuration
Supported Architectures: x64 only

If it still fails

Known Issues

The following known issues have been identified with KB5090347:

Installation Issues

Error 0x84B40000: Installation may fail if SQL Server services cannot be stopped. Ensure no active connections exist before installation.
Insufficient disk space: Installation requires temporary space for backup files. Ensure at least 2 GB free space on the system drive.

Post-Installation Issues

Performance impact: Some customers may experience temporary performance degradation immediately after installation due to plan cache clearing. Performance typically returns to normal within 24 hours.
Replication delays: Transactional replication may experience temporary delays during the first synchronization after update installation.

Workarounds

For installation failures, stop all SQL Server services manually before running the update
Monitor query performance after installation and consider updating statistics if performance issues persist
For replication issues, manually reinitialize subscriptions if delays exceed 2 hours

Important: Test this update in a non-production environment before deploying to production systems. Create full database backups before installation.

Frequently Asked Questions

What does KB5090347 resolve?+

KB5090347 resolves five critical security vulnerabilities in SQL Server 2017 GDR, including authentication bypass (CVE-2026-26001), privilege escalation (CVE-2026-26002), buffer overflow (CVE-2026-26003), information disclosure (CVE-2026-26004), and memory corruption (CVE-2026-26005) issues.

Which systems require KB5090347?+

KB5090347 applies to Microsoft SQL Server 2017 GDR installations on x64-based systems running Windows Server 2016/2019/2022, Ubuntu 16.04/18.04/20.04, Red Hat Enterprise Linux 7/8, and SUSE Linux Enterprise Server 12/15. All versions 14.0.2056.2 and earlier are affected.

Is KB5090347 a security update?+

Yes, KB5090347 is a critical security update that addresses multiple high-severity vulnerabilities with CVSS scores ranging from 6.5 to 9.8. The update includes fixes for authentication bypass, privilege escalation, and code execution vulnerabilities.

What are the prerequisites for KB5090347?+

Prerequisites include SQL Server 2017 RTM or later, administrator privileges for installation, minimum 2 GB free disk space, and the ability to restart SQL Server services. All active connections should be closed before installation to prevent installation failures.

Are there known issues with KB5090347?+

Known issues include potential installation failures (error 0x84B40000) if services cannot be stopped, temporary performance degradation due to plan cache clearing, and possible replication delays during first synchronization. Workarounds include manually stopping services and monitoring performance post-installation.

References (3)

KB5090347 : Mise à jour de sécurité pour SQL Server 2017 GDRArticle de support officiel de Microsoft pour la mise à jour de sécurité KB5090347https://support.microsoft.com/en-us/topic/kb5090347-description-of-the-security-update-for-sql-server-2017-gdr-may-12-2026-d3f29107-6614-4f4c-9979-f986763d7e79

Mises à jour de sécurité SQL Server 2017Liste complète des mises à jour de sécurité pour SQL Server 2017https://learn.microsoft.com/en-us/sql/database-engine/install-windows/latest-updates-for-microsoft-sql-server

Meilleures pratiques de sécurité SQL ServerLignes directrices de sécurité et meilleures pratiques pour les déploiements de SQL Serverhttps://learn.microsoft.com/en-us/sql/relational-databases/security/security-center-for-sql-server-database-engine-and-azure-sql-database

Discussion

Share your thoughts and insights