ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-27671 — Unauthenticated Stack Buffer Overflow in SAP NetWeaver RFC Kernel

A short review of CVE-2026-27671, a critical (CVSS 9.8) unauthenticated stack-based buffer overflow in the SAP Kernel's RFC protocol handling that enables memory corruption with high impact on confidentiality, integrity, and availability across SAP NetWeaver and ABAP Platform deployments.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-08

Brief Summary: CVE-2026-27671 — Unauthenticated Stack Buffer Overflow in SAP NetWeaver RFC Kernel
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated stack-based buffer overflow in the SAP Kernel's RFC protocol handler gives remote attackers a direct path to memory corruption across every Application Server ABAP instance in an organization's SAP landscape. Scored at CVSS 9.8 and requiring no credentials or user interaction, CVE-2026-27671 represents one of the most significant SAP vulnerabilities disclosed in 2026, continuing a multi-year pattern of critical memory safety failures in SAP's RFC communication layer.

Technical Information

Root Cause: Improper RFC Protocol Validation

CVE-2026-27671 originates in the SAP Kernel, the foundational binary layer that underpins all Application Server ABAP instances in SAP NetWeaver and the ABAP Platform. The vulnerability is rooted in improper validation of incoming RFC (Remote Function Call) protocol data. When the Kernel processes an RFC request, it fails to enforce proper bounds checking before writing protocol data into a stack-allocated buffer. This missing validation allows an attacker to supply a crafted RFC request containing oversized or malformed data that overflows the buffer.

The vulnerability is classified under CWE-121 (Stack-based Buffer Overflow), which MITRE rates as having a "High" likelihood of exploit. CWE-121 is a variant of the broader CWE-787 (Out-of-bounds Write) and appears on the 2025 CWE Top 25 Most Dangerous Software Weaknesses list. This class of vulnerability is almost exclusively introduced during the implementation phase when using memory-unsafe languages such as C and C++, which is consistent with the SAP Kernel's known codebase.

In a stack-based buffer overflow, the attacker-controlled data overwrites adjacent stack items beyond the bounds of the target buffer. These adjacent items typically include saved frame pointers and return addresses. By carefully controlling the overflow data, an attacker can redirect execution flow when the vulnerable function returns, potentially achieving arbitrary code execution.

Attack Flow

The RFC protocol is SAP's primary inter-process and inter-system communication mechanism. RFC listeners accept network connections on well-known ports, and in the case of CVE-2026-27671, the NVD description explicitly states that no authentication is required. The attack flow proceeds as follows:

  1. Network reconnaissance: The attacker identifies an SAP system with an exposed RFC listener, reachable over the network. RFC services typically listen on predictable port ranges.

  2. Crafted RFC request: The attacker constructs a malicious RFC request containing data designed to exceed the bounds of a stack-allocated buffer within the Kernel's RFC processing code. The NVD description characterizes this as exploiting "logical errors in memory management."

  3. Buffer overflow trigger: The SAP Kernel receives the request and processes it without adequate bounds validation. The oversized data overflows the stack buffer, corrupting adjacent memory including control flow data such as saved return addresses.

  4. Memory corruption impact: The resulting memory corruption has high impact on confidentiality (potential information disclosure from memory), integrity (potential code execution or data manipulation), and availability (potential system crash or denial of service).

Historical RFC Attack Surface Research

This vulnerability fits squarely within a well-documented attack surface. SEC Consult's research, presented at TROOPERS 2023 under the title "From RFC to RCE 16 Years Later," demonstrated that RFC protocol weaknesses have been a persistent attack vector for over 16 years and that RFC vulnerabilities can be chained together to achieve full remote code execution on SAP applications.

Additionally, research by Andreas Wiegenstein documented that certain ABAP-to-Kernel communication paths create buffer overflow risks. Specifically, the kernel call C_SAPCPARAM can be used to trigger a SAP Kernel buffer overflow via ABAP, and this path is also available remotely via RFC. This finding underscores that the Kernel's handling of RFC-initiated calls has been a recurring source of memory safety violations.

Prior Analogous Vulnerabilities

CVE-2026-27671 is not an isolated incident. The following table summarizes prior SAP Kernel and RFC memory corruption vulnerabilities that share key characteristics:

CVECVSSWeaknessAuthentication Required
CVE-2023-00149.8RFC vulnerabilityUnauthenticated
CVE-2021-276109.8RFC vulnerabilityUnauthenticated
CVE-2021-276337.5Memory corruption in ThCPIC() via RFC GatewayUnauthenticated
CVE-2021-275977.5Improper input validation in GwCheckReceivedSapParams()Unauthenticated
CVE-2021-276347.5Memory corruption in ThCpicDtCreate() via RFCUnauthenticated

CVE-2021-27633 is particularly instructive: it involved a memory corruption vulnerability in the ThCPIC() function of the Disp+work binary through the SAP RFC Gateway service, where a malicious RFC packet reached ThrtHdlAppc() and inputs were modified and sent to disp+work via ThSAPCMSEND(), causing a crash. All three of the 2021 CVEs (27597, 27633, 27634) were exploitable remotely without authentication and affected multiple SAP Kernel versions including 7.22, 7.22EXT, 7.49, 7.53, 7.73, 7.77, 7.81, and 8.04.

Kernel-Level Impact Scope

Because the flaw resides in the SAP Kernel itself rather than in an individual application component, a successful exploit affects the foundational layer of the entire SAP system. Every Application Server ABAP instance running a vulnerable Kernel version is potentially affected, regardless of which SAP applications are deployed on top of it.

Affected Systems and Versions

The vulnerability affects the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform. Specific affected Kernel version numbers and minimum patch levels are documented in SAP Security Note 3717897, which requires SAP Support Portal access to view.

Based on the pattern established by prior analogous RFC Kernel vulnerabilities (CVE-2021-27597, CVE-2021-27633, CVE-2021-27634), affected versions have historically spanned multiple Kernel release lines including 7.22, 7.22EXT, 7.49, 7.53, 7.73, 7.77, 7.81, and 8.04. Organizations should consult SAP Note 3717897 directly to confirm the exact version ranges applicable to CVE-2026-27671.

Vendor Security History

SAP SE has a substantial vulnerability track record that provides important context for evaluating CVE-2026-27671:

SAP has accumulated 834 published CVE records since 2018. Of these, 8 CVEs appear in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming that SAP vulnerabilities are actively targeted by threat actors in real-world attacks. Additionally, 54 CVEs have known public exploits available, establishing that exploit code for SAP vulnerabilities is routinely developed and shared.

The 2026 SAP Security Patch Day cycle has already included several critical issues prior to this June disclosure:

MonthNotable Issues
January 2026CVE-2026-0501 SQL Injection in S/4HANA; RFCSDK vulnerability
February 202626 security notes including Kernel-level authorization gap in RFC execution paths
March 2026Critical vulnerabilities in NetWeaver
April 2026Critical SQL injection in BPC; critical ABAP vulnerability
June 2026CVE-2026-27671 RFC memory corruption in SAP Kernel

Several recent SAP vulnerabilities are worth noting for context. CVE-2025-31324 was a zero-day affecting SAP NetWeaver identified by Onapsis as a top SAP vulnerability of 2025, underscoring the persistent risk of unpatched SAP systems. CVE-2025-42989 (CVSS 9.6) was a privilege escalation vulnerability in SAP NetWeaver Application Server for ABAP stemming from inadequate authorization checks during RFC inbound processing. CVE-2025-42976 was a memory corruption vulnerability in the BIC Document component of SAP NetWeaver Application Server ABAP.

The recurrence of RFC-related and Kernel-level memory corruption vulnerabilities across 2021, 2023, 2025, and now 2026 demonstrates that SAP's incremental patching approach has not fundamentally eliminated this vulnerability class. CISA's Secure by Design guidance recommends architectural elimination through memory-safe languages, but SAP's massive C/C++ Kernel codebase makes this a long-term proposition.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization