Microsoft’s Patch Tuesday April 2026 release has introduced one of the most extensive security update rollouts of the year, addressing a total of 167 vulnerabilities across Windows operating systems and associated software.
This latest Microsoft Patch Tuesday also includes fixes for two zero-day vulnerabilities, one of which was actively exploited in real-world attacks, alongside critical flaws affecting SharePoint Server, Microsoft Defender, and Microsoft Office.
The April edition of Microsoft Patch Tuesday highlights the complexity of modern cyber threats. Among the 167 vulnerabilities patched, eight are classified as “Critical.” Of these, seven involve remote code execution (RCE), while one relates to a denial-of-service (DoS) issue. The remaining vulnerabilities fall under various categories:
- 93 Elevation of Privilege vulnerabilities
- 13 Security Feature Bypass vulnerabilities
- 20 Remote Code Execution vulnerabilities
- 21 Information Disclosure vulnerabilities
- 10 Denial of Service vulnerabilities
- 9 Spoofing vulnerabilities
Additionally, the security update addresses two zero-day vulnerabilities and several flaws in Microsoft Office applications.
Microsoft Patch Tuesday: Zero-Day Vulnerabilities in Focus
A major focus of this Patch Tuesday April 2026 cycle is the remediation of two zero-day vulnerabilities. One of the most concerning issues is an actively exploited spoofing vulnerability in Microsoft SharePoint Server. According to Microsoft, “Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.”
The company further explained that a successful attack could allow threat actors to access sensitive information and modify it, affecting both confidentiality and integrity, though not availability. Microsoft has not disclosed details about how the vulnerability was exploited or who discovered it.
The second zero-day, tracked as CVE-2026-33825, affects Microsoft Defender and allows attackers to gain SYSTEM-level privileges. This flaw has been resolved in Microsoft Defender Antimalware Platform version 4.18.26050.3011, which is being distributed automatically. Users can also manually install the update via Windows Security settings. The vulnerability was discovered by Zen Dodd and Yuanpei XU from HUST working with Diffract.
Critical Vulnerabilities and Exploitation Risks
Beyond zero-days, Microsoft Patch Tuesday April 2026, includes several critical vulnerabilities that demand immediate attention. For instance, CVE-2026-23666 affects the .NET framework and could allow attackers to execute a denial-of-service attack over a network.
Another critical flaw, CVE-2026-32157, impacts the Remote Desktop Client. It is a use-after-free vulnerability that can lead to code execution if a user connects to a malicious server. Similarly, multiple Microsoft Office vulnerabilities, such as CVE-2026-32190, CVE-2026-33114, and CVE-2026-33115, require local code execution but can be triggered remotely, often through malicious documents or even the preview pane. This makes them particularly dangerous in environments where users frequently handle email attachments.
CVE-2026-33824 targets the Windows Internet Key Exchange (IKE) extension and allows unauthenticated attackers to send specially crafted packets to achieve remote code execution. Microsoft recommends blocking inbound UDP ports 500 and 4500 if IKE is not in use as a mitigation step.
Other notable critical issues include vulnerabilities in Active Directory (CVE-2026-33826) and Windows TCP/IP (CVE-2026-33827), both of which could enable remote code execution under specific conditions.
Office and SharePoint Remain High-Risk Targets
This Patch Tuesday April also noted the risk posed by Microsoft Office and SharePoint. Multiple RCE vulnerabilities in Word and Excel can be exploited through malicious files, reinforcing the need for users to update their Office installations promptly.
Another vulnerability, CVE-2026-32201, affects SharePoint and allows spoofing attacks that can expose and alter sensitive data. This issue has already been observed in active exploitation.
While most vulnerabilities are rated as “Important,” security researchers have flagged several as more likely to be exploited. These include flaws in UEFI Secure Boot (CVE-2026-0390), Windows Kernel memory disclosure (CVE-2026-26169), and multiple elevation-of-privilege issues affecting components like WinSock, BitLocker, and the Desktop Window Manager.
Other notable vulnerabilities include spoofing issues in Remote Desktop and Windows Shell, as well as security bypass flaws in Windows Hello and BitLocker.
Outside of Microsoft, this Patch Tuesday April period also saw Google release fixes for its fourth Chrome zero-day vulnerability of 2026. Meanwhile, Adobe issued an emergency update for Acrobat Reader to address an actively exploited remote code execution flaw.
