CVE-2026-24320
EUVD-2026-647010.02.2026, 04:16
Due to improper memory management in SAP NetWeaver and ABAP Platform (Application Server ABAP), an authenticated attacker could exploit logical errors in memory management by supplying specially crafted input containing unique characters, which are improperly converted. This may result in memory corruption and the potential leakage of memory content. Successful exploitation of this vulnerability would have a low impact on the confidentiality of the application, with no effect on its integrity or availability.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| sap | netweaver_as_abap_kernel | 7.22 |
| sap | netweaver_as_abap_kernel | 7.54 |
| sap | netweaver_as_abap_kernel | 7.77 |
| sap | netweaver_as_abap_kernel | 7.89 |
| sap | netweaver_as_abap_kernel | 7.93 |
| sap | netweaver_as_abap_kernel | 9.16 |
| sap | netweaver_as_abap_kernel | 9.17 |
| sap | netweaver_as_abap_kernel | 9.18 |
| sap | netweaver_as_abap_krnl64nuc | 7.22 |
| sap | netweaver_as_abap_krnl64nuc | 7.22ext:ext |
| sap | netweaver_as_abap_krnl64uc | 7.22 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')The software receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
- CWE-787 - Out-of-bounds WriteThe software writes data past the end, or before the beginning, of the intended buffer.