CVE-2026-27671 CRITICAL

CVE-2026-27671: Memory Corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform

Vendor Sap_Se
Product SAP NetWeaver AS ABAP and ABAP Platform
Weakness CWE-121
Published June 9, 2026
Last update June 9, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Due to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. This could lead to a high impact on the confidentiality, integrity, and availability of the application.

Key dates

02Disclosure timeline

June 9, 2026 CVE published
June 9, 2026 Record updated