FKIE_CVE-2026-24320

Vulnerability from fkie_nvd - Published: 2026-02-10 04:16 - Updated: 2026-02-17 15:27
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Due to improper memory management in SAP NetWeaver and ABAP Platform (Application Server ABAP), an authenticated attacker could exploit logical errors in memory management by supplying specially crafted input containing unique characters, which are improperly converted. This may result in memory corruption and the potential leakage of memory content. Successful exploitation of this vulnerability would have a low impact on the confidentiality of the application, with no effect on its integrity or availability.
References
cna@sap.comhttps://me.sap.com/notes/3678313Permissions Required
cna@sap.comhttps://url.sap/sapsecuritypatchdayVendor Advisory
Impacted products
Vendor Product Version
sap netweaver_as_abap_kernel 7.22
sap netweaver_as_abap_kernel 7.54
sap netweaver_as_abap_kernel 7.77
sap netweaver_as_abap_kernel 7.89
sap netweaver_as_abap_kernel 7.93
sap netweaver_as_abap_kernel 9.16
sap netweaver_as_abap_kernel 9.17
sap netweaver_as_abap_kernel 9.18
sap netweaver_as_abap_krnl64nuc 7.22
sap netweaver_as_abap_krnl64nuc 7.22ext
sap netweaver_as_abap_krnl64uc 7.22
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.22:*:*:*:*:*:*:*",
              "matchCriteriaId": "FE603A80-8FF0-4180-9E11-C468AE2441C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.54:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F5D31D3-B2B2-4347-B8DF-D06056289598",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.77:*:*:*:*:*:*:*",
              "matchCriteriaId": "50570852-982E-40CA-B391-3FB8B9373F78",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.89:*:*:*:*:*:*:*",
              "matchCriteriaId": "B8B74AD9-A83E-45DD-96C2-4F3C8C8C6AE6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.93:*:*:*:*:*:*:*",
              "matchCriteriaId": "237DBA4A-B5A9-48C9-B6A3-D293BB66EF69",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:9.16:*:*:*:*:*:*:*",
              "matchCriteriaId": "3668B2D9-0A4C-43F5-B248-9A6438AF7D71",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:9.17:*:*:*:*:*:*:*",
              "matchCriteriaId": "FB41121A-3D27-460C-A9AF-A1573F1F4568",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:9.18:*:*:*:*:*:*:*",
              "matchCriteriaId": "1BC9779B-7571-44F7-BCCC-6BF2834ED779",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.22:*:*:*:*:*:*:*",
              "matchCriteriaId": "02507EB2-8776-4EA9-9164-B2F6AD911B59",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.22ext:*:*:*:*:*:*:*",
              "matchCriteriaId": "7867ADA5-47AA-48DD-9CAC-D3ACB5713CB3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.22:*:*:*:*:*:*:*",
              "matchCriteriaId": "B5E3292A-7311-4821-A52E-8FB4A1449D44",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Due to improper memory management in SAP NetWeaver and ABAP Platform (Application Server ABAP), an authenticated attacker could exploit logical errors in memory management by supplying specially crafted input containing unique characters, which are improperly converted. This may result in memory corruption and the potential leakage of memory content. Successful exploitation of this vulnerability would have a low impact on the confidentiality of the application, with no effect on its integrity or availability."
    },
    {
      "lang": "es",
      "value": "Debido a una gesti\u00f3n de memoria inadecuada en SAP NetWeaver y ABAP Platform (Servidor de Aplicaciones ABAP), un atacante autenticado podr\u00eda explotar errores l\u00f3gicos en la gesti\u00f3n de memoria al proporcionar una entrada especialmente dise\u00f1ada que contiene caracteres \u00fanicos, los cuales se convierten de forma incorrecta. Esto podr\u00eda resultar en corrupci\u00f3n de memoria y la posible fuga de contenido de la memoria. La explotaci\u00f3n exitosa de esta vulnerabilidad tendr\u00eda un bajo impacto en la confidencialidad de la aplicaci\u00f3n, sin efecto en su integridad o disponibilidad."
    }
  ],
  "id": "CVE-2026-24320",
  "lastModified": "2026-02-17T15:27:30.400",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.1,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 1.4,
        "source": "cna@sap.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.1,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-02-10T04:16:03.990",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://me.sap.com/notes/3678313"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-113"
        }
      ],
      "source": "cna@sap.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.