VULNERABILITY OVERVIEW
A memory corruption vulnerability (CWE-121, stack-based buffer overflow) in the SAP Kernel's RFC (Remote Function Call) protocol handler allows an unauthenticated remote attacker to send a specially crafted RFC request that exploits logical errors in memory management. Successful exploitation can result in application crashes, unauthorized data access, or arbitrary code execution. CISA's ADP assessment flagged this flaw as automatable, meaning it is exploitable at scale. No workaround exists — the only remediation is a kernel-level patch.
CVSS BREAKDOWN
↗
Attack Vector
NETWORK
△
Attack Complexity
LOW
⚷
Privs Required
NONE
◈
User Interaction
NONE
⊕
Scope / Impact
UNCHANGED
C:H · I:H · A:H
AFFECTED VERSIONS
SAP NetWeaver and ABAP Platform — requires kernel update; no workaround availableCITATIONS
- → https://www.securityweek.com/sap-patches-critical-netweaver-commerce-vulnerabilities/
- → https://socradar.io/blog/sap-security-patch-day-june-2026-cve-2026-44748/
- → https://www.bleepingcomputer.com/news/security/sap-fixes-critical-flaws-in-netweaver-and-commerce-cloud/
- → https://erp.today/sap-june-2026-patch-day-critical-fixes-netweaver-abap-commerce-cloud/