CVE-2026-42990 is a heap-based buffer overflow in the SQL Server ODBC driver that Microsoft classifies as an Elevation of Privilege vulnerability, with potential Remote Code Execution impact. It has a CVSS v3.1 base score of 9.8 (Critical) and temporal score of 8.5, using a NETWORK attack vector, LOW attack complexity, NO privileges required, and NO user interaction, with unchanged scope and high confidentiality, integrity, and availability impacts. Microsoft says exploitation is not publicly disclosed, not known to be exploited, and exploit code maturity is UNPROVEN; exploitation likelihood is rated “Exploitation Unlikely.” For enterprise environments, the network-based, unauthenticated, no-interaction profile makes this relevant for systems that connect to untrusted or malicious SQL Server endpoints. Highlights: - CVSS scores: Base 9.8 - Temporal 8.5 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impacts; title also identifies an Elevation of Privilege vulnerability. - Exploitation likelihood: Exploitation Unlikely; network vector, LOW attack complexity, NO privileges required, and NO user interaction. - Severity for enterprise: Critical technical severity; higher risk where affected clients connect to external or untrusted SQL Server endpoints because exploitation is network-triggered and requires no user interaction. - Patch status: available Affected systems: - Windows 10 1607, 1809, 21H2, 22H2 - Windows 11 23H2, 24H2, 25H2, 26H1, unspecified - Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2025