A critical (CVSS 9.8) memory-corruption flaw in the SAP Kernel lets an unauthenticated attacker compromise the confidentiality, integrity, and availability of SAP NetWeaver and ABAP Platform systems via a crafted RFC request.
What Is It
CVE-2026-27671 stems from improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and the ABAP Platform. An unauthenticated attacker can send a crafted RFC request that triggers logical errors in memory management, leading to memory corruption. The flaw is classified as CWE-121 (stack-based buffer overflow). It carries a CVSS 3.1 base score of 9.8 (CRITICAL), vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-reachable, low complexity, and requiring no privileges or user interaction.
Why It Matters
With no authentication required and a network attack vector, this vulnerability is reachable by any actor who can reach the RFC interface. Successful exploitation yields high impact across all three security pillars, confidentiality, integrity, and availability, meaning an attacker could read sensitive data, alter application behavior, and disrupt service on business-critical SAP systems. The 9.8 score reflects the rare combination of trivial exploitability and total impact.
What's Vulnerable
The affected component is the SAP Kernel as used by the Application Server ABAP of SAP NetWeaver and the ABAP Platform. The supplied NVD record does not enumerate specific affected version ranges (no CPEs listed); refer to the vendor SAP Note for exact affected releases.
Patch Status
The vulnerability was disclosed by SAP (CNA [email protected]) and is being addressed as part of SAP's June 2026 Security Patch Day, scheduled for 2026-06-09. SAP is expected to document the fix in SAP Note 3717897; administrators should apply the corresponding patch as the required remediation as soon as it becomes available. The supplied source material contains no CISA KEV entry, so there is no confirmation of active exploitation at this time.