CVE-2026-24320
Undergoing Analysis
Undergoing Analysis - In Progress
Memory Corruption in SAP NetWeaver ABAP via Improper Input Handling
Publication date: 2026-02-10
Last updated on: 2026-02-17
Assigner: SAP SE
Description
Description
Due to improper memory management in SAP NetWeaver and ABAP Platform (Application Server ABAP), an authenticated attacker could exploit logical errors in memory management by supplying specially crafted input containing unique characters, which are improperly converted. This may result in memory corruption and the potential leakage of memory content. Successful exploitation of this vulnerability would have a low impact on the confidentiality of the application, with no effect on its integrity or availability.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | netweaver_as_abap_krnl64uc | 7.22 |
| sap | netweaver_as_abap_kernel | 7.22 |
| sap | netweaver_as_abap_kernel | 7.77 |
| sap | netweaver_as_abap_krnl64nuc | 7.22ext |
| sap | netweaver_as_abap_krnl64nuc | 7.22 |
| sap | netweaver_as_abap_kernel | 7.89 |
| sap | netweaver_as_abap_kernel | 7.54 |
| sap | netweaver_as_abap_kernel | 7.93 |
| sap | netweaver_as_abap_kernel | 9.16 |
| sap | netweaver_as_abap_kernel | 9.17 |
| sap | netweaver_as_abap_kernel | 9.18 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-113 | The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. |
