CVE-2026-27671 PUBLISHED

Memory Corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform

Assigner: sap
Reserved: 23.02.2026 Published: 09.06.2026 Updated: 09.06.2026

Due to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. This could lead to a high impact on the confidentiality, integrity, and availability of the application.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP NetWeaver AS ABAP and ABAP Platform
Versions	Default: unaffected Version KRNL64NUC 7.22 is affected Version 7.22EXT is affected Version KRNL64UC 7.22 is affected Version 722EXT is affected Version 7.53 is affected Version KERNEL 7.22 is affected Version 7.54 is affected Version 7.77 is affected Version 7.89 is affected Version 7.93 is affected Version 9.16 is affected Version 9.18 is affected Version 91.9 is affected

CVE-2026-27671 PUBLISHED

Memory Corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform

Metrics

Product Status

References

Problem Types