Release date: July 14, 2026
Version: 16.0.4262.2
- Summary
- Known issues in this update
- Improvements and fixes included in this update
- How to obtain and install the update
- How to obtain or download the latest cumulative update package for Linux
- More information
- File information
- Information about protection and security
Summary
This security update contains fixes and resolves vulnerabilities. To learn more about the vulnerabilities, see the following security advisories:
- CVE-2026-47295 - Microsoft SQL Server Elevation of Privilege Vulnerability
- CVE-2026-47296 - Microsoft SQL Server Elevation of Privilege Vulnerability
- CVE-2026-54118 - Microsoft SQL Server Remote Code Execution Vulnerability
- CVE-2026-55002 - Microsoft SQL Server Elevation of Privilege Vulnerability
The Microsoft SQL Server components are updated to the following builds in this security update:
- SQL Server - product version: 16.0.4262.2, file version: 2022.160.4262.2
Important
To help secure SQL Server on Windows, enable encryption with Extended Protection.
Known issues in this update
Linked server queries that use MSDASQL fail with error 7416
Linked server queries that use the MSDASQL (OLE DB Provider for ODBC Drivers) provider and specify a provider string (@provstr) fail and return the following error message:
Msg 7416, Level 16
Access to the remote server is denied because no login-mapping exists.
A stricter connection validation check in the Database Engine can reject connections for certain linked server configurations that use the MSDASQL provider, even if earlier builds allowed those connections.
For more information and workarounds, see Linked server queries that use MSDASQL fail with error 7416.
Improvements and fixes included in this update
A downloadable Excel workbook that contains a summary list of builds, together with their current support lifecycle, is available. The Excel file also contains detailed fix lists. Download this Excel file now.
Note
Individual entries in the following table can be referenced directly through a bookmark. If you select any bug reference ID in the table, a bookmark tag is added to the URL by using the "#bkmk_NNNNNNN" format. You can then share this URL with others so that they can jump directly to the desired fix in the table.
| Bug reference | Description | Fix area | Component | Platform |
|---|---|---|---|---|
| 5340801 | This fix resolves an insecure deserialization vulnerability in MessageQueueTask by restricting SoapFormatter deserialization that uses an allow list binder. The restriction prevents remote code execution (RCE) from untrusted Microsoft Message Queuing (MSMQ) message. | Integration Services | Integration Service | Windows |
| 5337383 | This fix resolves a memory leak that occurs if the sys.dm_exec_input_buffer dynamic management function (DMF) or the DBCC INPUTBUFFER command is used. |
SQL Server Engine | Query Execution | Linux, Windows |
| 5336750 | This fix addresses input validation and sanitization of user input for a parameter that's passed to an internal replication stored procedure by validating and sanitizing the input before the stored procedure uses it. | SQL Server Engine | Replication | Linux, Windows |
| 5263358 | This fix resolves an SQL injection vulnerability in SQL Server in which improper neutralization of special elements in SQL Server commands allows an authenticated attacker to elevate privileges over a network. | SQL Server Engine | SQL Agent | Linux, Windows |
How to obtain and install the update
Method 1: Windows Update
This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see Windows Update: FAQ.
Method 2: Microsoft Update Catalog
To get the standalone package for this update, go to the Microsoft Update Catalog website.
Note
- The detection logic has been updated for this and future security releases that are posted to the Microsoft Update Catalog website. For more information, see Updates to the Microsoft Update detection logic for SQL Server servicing.
- This update is made available through the Microsoft Update Catalog for all servers that are running SQL Server, even if Reporting Services is not installed. Installing this security update is optional for computers that do not host Microsoft SQL Server Reporting Services.
Method 3: Microsoft Download Center
The following file is available for download from the Microsoft Download Center:
How to obtain or download the latest cumulative update package for Linux
To update SQL Server 2022 on Linux to the latest CU, you must first have the Cumulative Update repository configured. Then, update your SQL Server packages by using the appropriate platform-specific update command.
For installation instructions and direct links to the CU package downloads, see the SQL Server 2022 Release Notes.
More information
Prerequisites
To apply this update, you must have SQL Server 2022 or any SQL Server 2022 CU release through this SQL Server 2022 CU25 GDR installed.
Security update deployment information
For deployment information about this update, see Deployments - Security Update Guide.
File hash information
| File name | SHA256 hash |
|---|---|
| SQLServer2022-KB5101347-x64.exe | D007F7EC43DF8F0FB781EEE95746490DB69B0572D3A5771DF013E3E3875ED08B |
File information
The English version of this package has the file attributes (or later file attributes) that are listed in the following worksheet. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
For all supported x64-based versions - Download the list of files that are included in security update 5101347.
Information about protection and security
Protect yourself online: Windows Security support
Learn how we guard against cyber threats: Microsoft Security