CVE-2026-27671

CRITICAL

SAP NetWeaver ABAP SAP Kernel - Memory Corruption via RFC Request

Title source: manual

Description

Due to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. This could lead to a high impact on the confidentiality, integrity, and availability of the application.

References (2)

Core 2

Core References

https://me.sap.com/notes/3717897

https://url.sap/sapsecuritypatchday

Scores

CVSS v3 9.8

EPSS 0.0040

EPSS Percentile 31.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-121

Status published

Products (26)

SAP_SE/SAP NetWeaver and ABAP Platform 7.22EXT

SAP_SE/SAP NetWeaver and ABAP Platform 7.53

SAP_SE/SAP NetWeaver and ABAP Platform 7.54

SAP_SE/SAP NetWeaver and ABAP Platform 7.77

SAP_SE/SAP NetWeaver and ABAP Platform 7.89

SAP_SE/SAP NetWeaver and ABAP Platform 7.93

SAP_SE/SAP NetWeaver and ABAP Platform 722EXT

SAP_SE/SAP NetWeaver and ABAP Platform 9.16

SAP_SE/SAP NetWeaver and ABAP Platform 9.18

SAP_SE/SAP NetWeaver and ABAP Platform 91.9

... and 16 more

Published Jun 09, 2026

Tracked Since Jun 09, 2026