CVE-2026-54118 is a Microsoft SQL Server remote code execution vulnerability caused by deserialization of untrusted data. Microsoft rates it High severity with a CVSS v3.1 base score of 8.8 and temporal score of 7.7. The vector is network-based, low complexity, requires low privileges, and no user interaction, with high confidentiality, integrity, and availability impact. Microsoft says it is not publicly disclosed, not exploited, and exploit code maturity is unproven. Because it is remotely reachable and does not require user interaction, it is relevant for enterprise SQL Server deployments, especially where SQL Server is network exposed. Highlights: - CVSS scores: Base 8.8 - Temporal 7.7 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impacts. - Exploitation likelihood: Exploitation Less Likely; network vector, LOW attack complexity, LOW privileges required, and NO user interaction. - Severity for enterprise: High priority for exposed SQL Server instances because the vulnerability is remotely exploitable over the network and can lead to full code execution, though Microsoft does not report active exploitation. - Patch status: available Affected systems: - Microsoft SQL Server 2025 CU6+GDR - Microsoft SQL Server 2025 RTM+GDR - Microsoft SQL Server 2022 CU25+GDR - Microsoft SQL Server 2022 RTM+GDR - Microsoft SQL Server 2019 CU32+GDR - Microsoft SQL Server 2019 RTM+GDR - Microsoft SQL Server 2017 CU31+GDR - Microsoft SQL Server 2017 RTM+GDR - Microsoft SQL Server 2016 Azure Connect Feature Pack+GDR - Microsoft SQL Server 2016 SP3+GDR