SAP released security updates on July 14, 2026, as part of the July 2026 Security Patch Day. CVE-2026-44747, rated CVSS 9.9, is the most severe vulnerability in the bulletin: an out-of-bounds write in the SAP NetWeaver Application Server ABAP kernel that exposes memory corruption with only user authentication as a prerequisite. The fix requires a kernel recompile, not a simple configuration change, and the temporary workaround disables SAP GUI for HTML, a capability used in enterprise environments where the thin client is the operational standard.
- CVE-2026-44747 carries a CVSS 9.9 per the official NVD record with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, the highest score of the July 2026 patch day.
- The vulnerability is an out-of-bounds write (CWE-787) in SAP NetWeaver Application Server ABAP: an authenticated attacker exploits logical errors in memory management to cause memory corruption with high impact on confidentiality, integrity, and availability.
- Affected kernel versions span branches 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19, 9.20 and corresponding KRNL64 variants, per the SOCRadar technical list and NVD record confirmation.
- The workaround via transaction SICF prevents opening transactions in SAP GUI for HTML, rendering it inapplicable for many customers who depend on web access to the system.
The Mechanism: Why a Memory Allocation Error Scores 9.9
The technical description provided by SAP and reported by BleepingComputer is unequivocal: "SAP NetWeaver Application Server ABAP allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could lead to unauthorized data access, modification, or system unavailability. This has high impact on confidentiality, integrity, and availability of the application." The NVD (National Vulnerability Database) record confirms the same reading with the CVSS score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.
The attack requires no administrative privileges: a standard authenticated user suffices. The scope is "changed" (S:C in the vector), meaning compromise of a single ABAP instance propagates beyond its security scope. In practice, a user with valid credentials — even without special authorizations — can corrupt the ABAP kernel's heap memory and from there achieve arbitrary read or write on corporate data, alter transactional records, or cause denial of service on the ERP system.
SOCRadar classifies the weakness as CWE-787, out-of-bounds write. This bug category is among the most dangerous in kernel codebases because the corruption point is the very data structure managing dynamic allocation: overwriting heap metadata can redirect pointers and open subsequent attack primitives. This is not a stack buffer overflow with modern mitigations (canaries, ASLR, NX) that are easily bypassed; it is corruption of the ABAP kernel heap, where countermeasures are rarer and the attack surface is the runtime of business-critical processes.
The Operational Dilemma: Patch the Kernel or Lose GUI HTML
The fix requires installing a patched version of the ABAP kernel. This is not an application component update that deploys without stopping the system: the kernel is the fundamental NetWeaver runtime, so the operation implies planned downtime, regression testing, and coordination with the vendor or MSP.
As a temporary alternative, SAP proposes — and Onapsis Research Labs has documented — disabling all ICF (Internet Communication Framework) nodes with a specific property via transaction SICF. But the limitation is immediate: "Since the workaround will disable opening transactions in SAP GUI for HTML, it is not an option for all customers and it is strongly recommended to install the patching ABAP Kernel version," as reported by The Hacker News citing Onapsis. SOCRadar adds that "this measure also prevents users from opening transactions through SAP GUI for HTML, making it unsuitable for some environments."
The choice is binary and uncomfortable. For organizations that have standardized on web access to SAP — a common configuration in recent deployments and thin-client environments — the workaround equates to operationally interrupting user access. For those retaining SAP GUI for Windows or traditional access, it is technically feasible but requires precise verification of active ICF services. In both cases, the sources' recommendation converges: the patched kernel is the definitive solution.
"The vulnerability was patched with support from Onapsis Research Labs." — SOCRadar
Patch Day Context: Three Criticals and No Known Exploitation
The July 2026 Security Patch Day included 16 new security notes and 1 GitHub advisory, according to SOCRadar. Beyond CVE-2026-44747, sources identify two other critical vulnerabilities: CVE-2026-27690 in SAP Approuter (CVSS 9.1, HTTP request smuggling) and CVE-2026-44761 in Commerce Cloud (CVSS 9.1, default credentials). Official NVD records confirm both scores with their respective vectors: for CVE-2026-27690, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H; for CVE-2026-44761, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.
None of the primary sources — The Hacker News, BleepingComputer, SecurityWeek, SecurityOnline — report evidence of in-the-wild exploitation at the time of publication. BleepingComputer explicitly cites SAP: "company has yet to find evidence that the vulnerabilities patched today have been exploited in attacks." This absence does not eliminate risk: SAP has long been in the crosshairs of ransomware groups, and entities like CISA maintain a KEV (Known Exploited Vulnerabilities) catalog that includes 14 SAP flaws, some actively exploited by criminal gangs, as documented by BleepingComputer in previous reports.
The remediation window exists, but the history of supply chain attacks and SAP patches suggests actors monitor bulletins for post-patch reverse-engineering. June 2026 saw a supply chain incident involving counterfeit npm packages with SAP branding; July 2026 presents an internal attack surface in the kernel with potentially broader enterprise impact because it touches the runtime of nearly all core ERP systems.
What to Do Now
- Verify the ABAP kernel version in use against the list of affected branches: 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19, 9.20 and KRNL64 variants, per SOCRadar data and the NVD record for CVE-2026-44747.
- Assess the applicability of the SICF workaround by mapping dependencies on SAP GUI for HTML: if the environment uses web thin clients, the workaround is incompatible with operations.
- Plan downtime for installation of the patched kernel in coordination with the SAP vendor or reference MSP, including a non-production test phase given the criticality of the component.
- Monitor the CISA KEV catalog and SAP bulletins for potential emergence of in-the-wild exploitation, given that no source currently confirms active attacks but the risk profile remains elevated.
Why the ABAP Kernel Is the Worst Place for a 9.9
The severity of CVE-2026-44747 is not just in the number. A bug with the same CVSS in a perimeter application can be mitigated with WAF, rate limiting, network segmentation. A bug in the ABAP kernel sits beyond every perimeter layer: the attacker is already authenticated, the vulnerable code has access to the memory of the runtime executing financial transactions, logistics, human resources. The Web Application Firewall does not intercept an out-of-bounds write in the kernel's heap allocator.
The NVD vector structure is eloquent: attack vector network (AV:N), low complexity (AC:L), low privileges (PR:L), no user interaction (UI:N), scope changed (S:C). Every parameter indicates an automatable, scalable attack with implicit escalation. For CISOs, the game plays out now in the speed of kernel version verification and in negotiating downtime with business units. The SICF workaround is a pain test: those who cannot afford to lose SAP GUI for HTML already have the answer on how critical the functionality is, and how urgently the kernel must be patched.
Onapsis Research Labs, cited by SOCRadar as a direct contributor to the resolution, has also documented the workaround's limitations. The combination of technical expertise and operational awareness reflects the maturity of SAP security research, a field where researchers must balance responsible disclosure with the awareness that many enterprise customers move slowly on kernel changes. July 14, 2026 marks another tension point in this dynamic.
Frequently Asked Questions
Why is the SICF workaround not sufficient?
Because it disables access to transactions via SAP GUI for HTML, a standard usage mode in many enterprise environments. Cited sources agree in considering it temporary and not universally applicable.
Does CVE-2026-44747 allow arbitrary remote code execution?
The brief and sources document memory corruption with potential data access, modification, and DoS. The mechanism is out-of-bounds write (CWE-787). No explicit claims of RCE as a guaranteed outcome emerge from the sources: the documented impact is on confidentiality, integrity, and availability with changed scope.
How many vulnerabilities did SAP fix in the patch day?
According to SOCRadar, 16 new security notes and 1 GitHub advisory. BleepingComputer and The Hacker News identify three criticals: CVE-2026-44747 (CVSS 9.9), CVE-2026-27690 (CVSS 9.1), and CVE-2026-44761 (CVSS 9.1).
Information verified against cited sources and current as of publication.
Sources
- https://thehackernews.com/2026/07/sap-patches-cvss-99-netweaver-abap-flaw.html
- https://www.bleepingcomputer.com/news/security/sap-warns-of-critical-flaws-in-netweaver-and-commerce-cloud/
- https://www.securityweek.com/sap-patches-critical-vulnerabilities-in-netweaver-approuter-commerce-cloud/
- https://isc.sans.edu/diary/rss/33154
- https://securityonline.info/sap-patch-day-july-2026/
- https://www.securityweek.com/sap-patches-critical-netweaver-commerce-vulnerabilities/
- https://socradar.io/blog/sap-security-patch-day-july-2026-cve-2026-44747/
- https://nvd.nist.gov/vuln/detail/CVE-2026-44747
- https://nvd.nist.gov/vuln/detail/CVE-2026-27690
- https://nvd.nist.gov/vuln/detail/CVE-2026-44761
- https://www.cve.org/CVERecord?id=CVE-2026-27690
- https://nvd.nist.gov/vuln/detail/CVE-2026-44745