April 2026 Patch Tuesday: 165 Vulnerabilities, Two Zero-Days Including One Actively Exploited

Microsoft released its April 2026 Patch Tuesday security updates, resolving a total of 165 vulnerabilities across Windows and multiple Microsoft products and components.

This month’s release includes two zero-day vulnerabilities: one actively exploited in the wild, and one publicly disclosed before today’s patch but not yet confirmed as exploited. Of the 165 vulnerabilities, 8 are rated Critical severity.

Elevation of Privilege vulnerabilities once again dominated the release, accounting for more than half of all patches. The full breakdown by type of vulnerabilities is as follows:

• 93 Elevation of Privilege vulnerabilities,
• 20 Remote Code Execution vulnerabilities,
• 20 Information Disclosure vulnerabilities,
• 12 Security Feature Bypass vulnerabilities,
• 10 Spoofing vulnerabilities,
• 9 Denial of Service vulnerabilities,
• and 1 Tampering vulnerability.

Zero-Day Vulnerabilities Addressed in April 2026 Patch Tuesday

The April 2026 Patch Tuesday release addressed two zero-day vulnerabilities. One has been confirmed as actively exploited in the wild, while the other was publicly disclosed prior to today’s patch without confirmed exploitation. Still, public disclosure before patching meaningfully widens the window of opportunity for threat actors.

CVE-2026-32201 (CVSS 6.5) – Microsoft SharePoint Server Spoofing Vulnerability

CVE-2026-32201 is an improper input validation flaw in Microsoft SharePoint Server that lets an unauthenticated attacker carry out spoofing over the network. What makes this issue especially important is not just the bug class, but the fact that Microsoft reported it as exploited in the wild, and CISA added it to the Known Exploited Vulnerabilities catalog on April 14, 2026.

Because SharePoint often sits in a central role for document sharing and collaboration, a flaw that can help attackers misrepresent content, services, or trusted interactions can create a valuable opening for follow-on activity. Organizations using on-premises SharePoint, especially internet-exposed deployments, should treat this as a priority patch rather than a routine update.

Under CISA’s guidance, federal civilian agencies must remediate the flaw by April 28, 2026.

CVE-2026-33825 (CVSS 7.8) – Microsoft Defender Elevation of Privilege Vulnerability

CVE-2026-33825 is a local elevation of privilege vulnerability in Microsoft Defender caused by insufficiently granular access control. It allows an authenticated attacker with local access to raise privileges on a target system, with multiple reports noting that successful exploitation can lead to SYSTEM-level access.

Although Microsoft listed this flaw as publicly disclosed rather than actively exploited, that status still raises urgency because researchers linked it to the recently published BlueHammer proof-of-concept work around Windows Defender privilege escalation. Public technical details can accelerate exploit refinement, even when early PoC code is unstable or incomplete.

For organizations that rely on Defender as a baseline protection layer, the update should be applied quickly to reduce the risk of local compromise turning into full administrative control.

Critical Vulnerabilities in April 2026 Patch Tuesday

Microsoft addressed eight Critical-severity vulnerabilities as part of this month’s updates:

• CVE-2026-33824 (CVSS 9.8) – Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability
• CVE-2026-32157 (CVSS 8.8) – Remote Desktop Client Remote Code Execution Vulnerability
• CVE-2026-32190 (CVSS 8.4) – Microsoft Office Remote Code Execution Vulnerability
• CVE-2026-33114 (CVSS 8.4) – Microsoft Word Remote Code Execution Vulnerability
• CVE-2026-33115 (CVSS 8.4) – Microsoft Word Remote Code Execution Vulnerability
• CVE-2026-33826 (CVSS 8.0) – Windows Active Directory Remote Code Execution Vulnerability
• CVE-2026-33827 (CVSS 8.1) – Windows TCP/IP Remote Code Execution Vulnerability
• CVE-2026-23666 (CVSS 7.5) – .NET Framework Denial of Service Vulnerability

The IKE Service Extensions RCE (CVE-2026-33824) stands out with the highest CVSS score of the month at 9.8 – network-accessible, no authentication required, and no user interaction needed. The two Word RCE vulnerabilities and the Office RCE are notable for their potential to be triggered through document-based attack chains. The Remote Desktop Client RCE and the Windows Active Directory RCE round out a set of Critical patches that span both client and server attack surfaces and should be prioritized accordingly.

High-Risk Vulnerabilities to Watch in April 2026 Patch Tuesday

Beyond the zero-days, Microsoft flagged the following vulnerabilities as Exploitation More Likely, signaling an elevated risk of near-term weaponization:

• CVE-2026-32225 (CVSS 8.8) – Windows Shell Security Feature Bypass Vulnerability
• CVE-2026-32162 (CVSS 8.4) – Windows COM Elevation of Privilege Vulnerability
• CVE-2026-33826 (CVSS 8.0) – Windows Active Directory Remote Code Execution Vulnerability
• CVE-2026-33825 (CVSS 7.8) – Microsoft Defender Elevation of Privilege Vulnerability
• CVE-2026-27909 (CVSS 7.8) – Windows Search Service Elevation of Privilege Vulnerability
• CVE-2026-27914 (CVSS 7.8) – Microsoft Management Console Elevation of Privilege Vulnerability
• CVE-2026-32152 (CVSS 7.8) – Desktop Window Manager Elevation of Privilege Vulnerability
• CVE-2026-32154 (CVSS 7.8) – Desktop Window Manager Elevation of Privilege Vulnerability
• CVE-2026-27913 (CVSS 7.7) – Windows BitLocker Security Feature Bypass Vulnerability
• CVE-2026-26151 (CVSS 7.1) – Remote Desktop Spoofing Vulnerability
• CVE-2026-27908 (CVSS 7.0) – Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability
• CVE-2026-27921 (CVSS 7.0) – Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability
• CVE-2026-32070 (CVSS 7.0) – Windows Common Log File System Driver Elevation of Privilege Vulnerability
• CVE-2026-32075 (CVSS 7.0) – Windows UPnP Device Host Elevation of Privilege Vulnerability
• CVE-2026-32093 (CVSS 7.0) – Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability
• CVE-2026-0390 (CVSS 6.7) – UEFI Secure Boot Security Feature Bypass Vulnerability
• CVE-2026-26169 (CVSS 6.1) – Windows Kernel Memory Information Disclosure Vulnerability
• CVE-2026-27906 (CVSS 4.4) – Windows Hello Security Feature Bypass Vulnerability
• CVE-2026-32202 (CVSS 4.3) – Windows Shell Spoofing Vulnerability

The majority of these are local Elevation of Privilege vulnerabilities, allowing authenticated attackers to gain elevated or SYSTEM-level access. Components like the Common Log File System Driver, Desktop Window Manager, and Windows Shell are frequently chained with initial access exploits in multi-stage intrusions. The BitLocker flaw is particularly noteworthy, bypassing full-disk encryption protections without requiring elevated privileges is a meaningful risk for lost or stolen devices and certain physical-access attack scenarios. The Windows Shell CVE-2026-32225 (CVSS 8.8) and Windows COM CVE-2026-32162 (CVSS 8.4) carry higher scores than typical EoP issues and merit close attention.

Apply Microsoft’s Security Updates for April 2026

Microsoft’s April 2026 Patch Tuesday security updates address vulnerabilities across a wide range of widely used products and components, many directly exposed to user interaction or internet-facing infrastructure. Systems affected by these flaws should be patched without delay, with priority given to:

• SharePoint Server environments, particularly those with internet-facing deployments, due to the actively exploited CVE-2026-32201
• Microsoft Defender endpoints affected by the publicly disclosed CVE-2026-33825
• Windows IKE Service deployments, given the critical unauthenticated RCE CVE-2026-33824 (CVSS 9.8)
• Remote Desktop Client and Active Directory infrastructure targeted by Critical RCEs
• Endpoints and servers affected by the Exploitation More Likely vulnerabilities, particularly BitLocker, Windows Shell, Desktop Window Manager, and Windows Search
• Office and Word environments where document-based exploitation is a concern

In addition to the 165 Microsoft CVEs, this month’s release includes 82 republished third-party CVEs, including 78 Chromium vulnerabilities affecting Microsoft Edge. While those are outside the scope of this post, organizations running Edge should ensure browser updates are current as well.

See Microsoft’s April 2026 release notes for the full details of patched CVEs.

Validate Patching and Track Real-World Exposure with SOCRadar

Applying Microsoft’s updates is only part of the response. Security teams also need to know which internet-facing assets remain exposed, where patch coverage is incomplete, and whether any of the month’s high-risk vulnerabilities are already drawing attacker attention. That is where a combination of external visibility and threat intelligence becomes more useful than patching alone.

SOCRadar Attack Surface Management (ASM) helps organizations identify exposed systems, detect unpatched internet-facing assets, and verify whether critical vulnerabilities may still be reachable from the outside.The Cyber Threat Intelligence module adds context by tracking exploit activity, threat actor interest, and emerging discussions around newly disclosed flaws.

Together, these capabilities help security teams prioritize what to fix first, validate whether urgent patches like actively exploited or publicly disclosed vulnerabilities have truly been addressed, and reduce the chance that overlooked exposure turns into a real incident.