Microsoft’s July 14, 2026 security update for SQL Server 2025 closes a buffer over-read that could allow authenticated attackers to read sensitive data, but the patch also carries a known issue that may break applications relying on linked servers with the MSDASQL provider.
What’s in the July 14 SQL Server 2025 Update
Tracked as CVE-2026-50468, the vulnerability sits in the SQL Server Database Engine. It’s a classic buffer over-read, where the software reads beyond the intended boundary of a memory buffer, potentially exposing whatever data happens to be stored in adjacent memory. Microsoft rates the flaw “Important” with a CVSS 3.1 score of 6.5, signaling a serious—but not catastrophic—risk.
The attack vector is over the network, requires low privileges, and has low complexity. An attacker doesn’t need any user interaction, but they must first authenticate to the SQL Server instance. In practical terms, someone needs a valid login—whether a low-privilege account, stolen credentials, or a compromised application identity—before they can exploit this.
Once inside, the vulnerability could let them read data they’re not supposed to see, such as memory contents that include sensitive information from other tables or sessions. Microsoft’s advisory makes clear this isn’t about injecting code or crashing the server; it’s purely a confidentiality hit. No data can be altered, and service stays online.
The fix arrives in two packages, depending on which servicing branch your SQL Server 2025 installation follows. Cumulative Update (CU) users install KB5101346, which bumps the engine to build 17.0.4060.2. General Distribution Release (GDR) users install KB5102333, targeting build 17.0.1125.2. Both are available through Windows Update, the Microsoft Update Catalog, and direct download.
Why This Flaw Matters Even With Authentication Required
A 6.5 CVSS score might not set off alarm bells like a remote code execution would, but the requirement for authentication shouldn’t lull anyone into complacency. In enterprise environments, low-privilege accounts are everywhere—service accounts, application logins, report readers. If one of those gets hijacked or misused, CVE-2026-50468 becomes a data exfiltration pipe.
Think about what SQL Server holds: customer records, financial transactions, proprietary business logic, encryption keys in memory. A buffer over-read doesn’t pick and choose; it scoops up whatever memory the engine had allocated nearby. That could be query results from another user, cached data, or internal structures that reveal more than intended.
And because the attack requires only network connectivity and a login, it’s feasible for a remote insider or an external attacker who has already gained a foothold on the network. Lateral movement often starts with losing a low-level credential, and this vulnerability turns that into a direct path to sensitive data.
The Patch Lands Alongside Other Critical Fixes
KB5101346 isn’t a single-issue patch. It bundles seven security advisories for SQL Server 2025, including remote-code-execution and elevation-of-privilege vulnerabilities. Organizations that might have deprioritized a 6.5-rated information leak will now have to account for those more severe threats in the same maintenance window.
This bundling is typical for Microsoft’s cumulative updates. It means the July 2026 release should be treated as a high-priority security update, not just an integrity patch. The presence of other highly rated CVEs changes the risk calculus: even if CVE-2026-50468 seems manageable, the overall package demands urgent attention.
Moreover, the update also introduces a known compatibility issue that database teams must test: the MSDASQL OLE DB provider for ODBC drivers can reject linked-server queries that pass a provider string via @provstr. This stricter validation, while improving security, will break applications that rely on older or non-standard linked-server configurations.
Your Patching Checklist: Builds, Linked Servers, and Rollbacks
First, identify your current build. Run this query on each instance:
SELECT
SERVERPROPERTY('ProductVersion') AS ProductVersion,
SERVERPROPERTY('ProductLevel') AS ProductLevel,
SERVERPROPERTY('Edition') AS Edition;
Compare the result with the fixed baselines:
- CU branch: Version 17.0.4060.2 or later
- GDR branch: Version 17.0.1125.2 or later
If you’re on a version below these, you need to apply the corresponding KB. Don’t switch servicing branches on a whim; if you’re CU, stay CU. GDR users should stick with GDR.
Download the package (KB5101346 for CU, KB5102333 for GDR) from the Microsoft Update Catalog or Windows Update. Linux installations pull the updated packages through Microsoft’s configured repository and the platform’s native package manager.
Before applying, prepare for a database maintenance event:
- Schedule a full backup or verify your latest one is recoverable.
- Review your high availability setup: Availability Groups, failover clusters, replication, log shipping. Plan the upgrade sequence and validate failover readiness.
- Communicate the maintenance window to application owners and ensure connection pools can handle a service restart.
After installation, restart the SQL Server service. Then immediately test linked-server queries that use the MSDASQL provider with provider strings. Look for error 7416:
Msg 7416, Level 16
Access to the remote server is denied because no login-mapping exists.
If you see this, you’ll need to adjust the linked-server configuration. Options include switching to a different OLE DB provider (like the native SQL Server client), explicitly mapping logins without relying on provider strings, or, if absolutely necessary and after a thorough security review, modifying the validation behavior. Microsoft documents workarounds in the KB article.
Don’t overlook SQL Agent jobs, ETL packages, reporting queries, and any stored procedures that cross server boundaries. A linked-server failure can bring down batch processes silently unless you actively probe them.
Finally, check the error log, Windows event logs, cluster state, and replication health before closing the maintenance window.
How We Got Here
CVE-2026-50468 came to light through Microsoft’s regular Patch Tuesday cycle on July 14, 2026. The vulnerability was reported confidentially and fixed before any known exploitation appeared in the wild, according to CISA’s initial assessment. The National Vulnerability Database still awaited full enrichment analysis as of mid-July.
This is the first buffer over-read fixed in SQL Server 2025’s short history, but similar memory-safety issues have appeared in older SQL Server versions. Microsoft’s decision to ship the fix only for the 2025 branch—and not for SQL Server 2022 or earlier—suggests the flaw was introduced in the 2025 codebase.
The linked-server quirk isn’t new, either. Microsoft has tightened connection validation across several recent security releases, and each time, legacy configurations that rely on loose provider-string handling break. The company prioritizes secure defaults, but the side effect is a recurring sting for shops with deeply embedded linked-server architectures.
What Comes Next
Microsoft may release more details about the vulnerability once enterprises have had time to patch. For now, the advisory deliberately withholds the specific query or protocol that triggers the over-read, making it harder for attackers to reverse-engineer an exploit.
Keep an eye on the SQL Server release notes and the MSRC blog. If exploitation attempts surface, Microsoft will update the advisory and CISA may release additional guidance. For now, apply the July 2026 cumulative update, validate your linked-server communication, and treat this as one part of a broader defense-in-depth strategy for your data tier.