Microsoft has released its April 2026 Patch Tuesday security update on April 14, 2026, addressing a staggering 168 vulnerabilities, double the number patched in March 2026, including one actively exploited zero-day.
One publicly disclosed zero-day, and eight Critical-rated flaws spanning Windows core components, Microsoft Office, Active Directory, and developer tools.
Security teams across enterprises must treat this month’s release with urgency. The sheer volume of patches, combined with an in-the-wild zero-day targeting SharePoint Server and Critical remote code execution flaws in Windows TCP/IP and Active Directory, makes April 2026’s Patch Tuesday one of the most consequential releases of the year.
Actively Exploited Zero-Day: SharePoint Spoofing Flaw
The single most dangerous vulnerability patched this month is CVE-2026-32201, a Microsoft SharePoint Server Spoofing Vulnerability that has been actively exploited in the wild.
Attackers have already leveraged this flaw to conduct spoofing attacks against enterprise SharePoint environments used for document management and internal collaboration.
Rated Important, the vulnerability poses a critical risk to organizations that rely on SharePoint for daily operations and warrants CISA-level urgency; security administrators should deploy this patch immediately, without waiting for scheduled maintenance windows.
Additionally, CVE-2026-33825, a Microsoft Defender Elevation of Privilege Vulnerability rated Important with a CVSS score of 7.8, was publicly disclosed before a patch was available.
This flaw exploits an insufficient granularity of access control weakness (CWE-1220) in Microsoft Defender, allowing a low-privileged local attacker to escalate to SYSTEM-level privileges with no user interaction required.
It is widely presumed to be linked to the “BlueHammer” exploit released publicly on April 2, 2026. Proof-of-concept exploit code exists in the wild, and Microsoft assesses exploitation as more likely.
Critical Windows TCP/IP and Active Directory RCEs
Among the eight Critical vulnerabilities this month, two stand out as network-level threats requiring no user interaction:
- CVE-2026-33827 – Windows TCP/IP Remote Code Execution vulnerability rated Critical. A remote attacker could exploit this flaw at the network layer, making it a wormable-class candidate that could propagate across unpatched infrastructure.
- CVE-2026-33826, the Windows Active Directory Remote Code Execution vulnerability, is also rated Critical. Active Directory is the identity backbone of most enterprise environments, and a successful exploit here could grant attackers full domain-level access, enabling lateral movement, credential theft, and complete network takeover.
- CVE-2026-33824 – Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution vulnerability rated Critical, targeting VPN and IPSec infrastructure that enterprises rely on for secure remote access.
Critical Microsoft Office and Word Exploits
Three Critical remote code execution vulnerabilities affect Microsoft Office and Word, all carrying a CVSS score of 8,4 and they require no authentication, making them highly attractive for phishing-based campaigns:
- CVE-2026-33115 – Microsoft Word RCE via a use-after-free memory flaw; exploitation can be triggered through the document preview pane, meaning a user doesn’t even need to open a malicious file.
- CVE-2026-33114 – Microsoft Word RCE via an untrusted pointer dereference flaw; a specially crafted Word document sent via email or Teams can trigger arbitrary code execution.
- CVE-2026-23666 – .NET Framework Denial of Service vulnerability rated Critical, affecting all applications built on the .NET runtime stack,ck including enterprise web applications and backend services.
Broad Attack Surface: Elevation of Privilege Dominates
The full breakdown of April 2026’s 168 CVEs reveals an overwhelming concentration of Elevation of Privilege (EoP) vulnerabilities, totaling 93, more than half of the entire patch batch:
| Impact Category | Count |
|---|---|
| Elevation of Privilege | 93 |
| Information Disclosure | 21 |
| Remote Code Execution | 20 |
| Security Feature Bypass | 13 |
| Denial of Service | 10 |
| Spoofing | 8 |
| Tampering | 2 |
| Defense in Depth | 1 |
| Total | 168 |
The massive EoP count reflects attackers’ increasing focus on post-exploitation privilege escalation: gaining initial access via phishing or RCE, then using EoP to escalate to SYSTEM or domain admin rights.
Notable EoP targets include the Windows Kernel (CVE-2026-26179, CVE-2026-26180, CVE-2026-26163), Windows Kerberos (CVE-2026-27912), PowerShell (CVE-2026-26170), Windows Installer (CVE-2026-27910), and multiple Windows Shell instances (CVE-2026-27918, CVE-2026-26165, CVE-2026-26166).
Developer Tools, Open Source & Third-Party CVEs
This month’s release also covers third-party and open-source components shipped with Microsoft products, including:
- CVE-2026-32631 – Git for Windows NTLM hash leak during
git clonefrom manipulated repositories, rated Important - CVE-2026-34743 – XZ Utils buffer overflow in
lzma_index_append(), affecting Microsoft Mariner Linux - CVE-2026-31789 – OpenSSL heap buffer overflow in hexadecimal conversion
- CVE-2026-28390/28389/28388 – Three OpenSSL NULL dereference vulnerabilities in CMS message processing
- CVE-2026-3783/3784 – Dual curl vulnerabilities: token leak with redirect/netrc and wrong proxy connection reuse with credentials
- CVE-2026-23653 – GitHub Copilot and Visual Studio Code Information Disclosure Vulnerability
Complete CVE Table April 2026 Patch Tuesday
| CVE ID | Vulnerability Title | Type | Severity | Component |
|---|---|---|---|---|
| CVE-2026-32201 | SharePoint Server Spoofing (Zero-Day, Exploited) | Spoofing | Important | Microsoft SharePoint |
| CVE-2026-33825 | Microsoft Defender EoP (Publicly Disclosed) | EoP | Important | Microsoft Defender |
| CVE-2026-33827 | Windows TCP/IP RCE | RCE | Critical | Windows TCP/IP |
| CVE-2026-33826 | Windows Active Directory RCE | RCE | Critical | Windows Active Directory |
| CVE-2026-33824 | Windows IKE Service Extensions RCE | RCE | Critical | Windows IKE Extension |
| CVE-2026-33115 | Microsoft Word RCE (Use-After-Free) | RCE | Critical | Microsoft Office Word |
| CVE-2026-33114 | Microsoft Word RCE (Untrusted Pointer) | RCE | Critical | Microsoft Office Word |
| CVE-2026-23666 | .NET Framework Denial of Service | DoS | Critical | .NET Framework |
| CVE-2026-33829 | Windows Snipping Tool Spoofing | Spoofing | Moderate | Windows Snipping Tool |
| CVE-2026-33822 | Microsoft Word Information Disclosure | Info Disclosure | Important | Microsoft Office Word |
| CVE-2026-33120 | Microsoft SQL Server RCE | RCE | Important | SQL Server |
| CVE-2026-33116 | .NET, .NET Framework, Visual Studio DoS | DoS | Important | .NET / Visual Studio |
| CVE-2026-32082 | Windows SSDP Service EoP | EoP | Important | Windows SSDP Service |
| CVE-2026-32080 | Windows WalletService EoP | EoP | Important | Windows WalletService |
| CVE-2026-32072 | Active Directory Spoofing | Spoofing | Important | Windows Active Directory |
| CVE-2026-32071 | LSASS Denial of Service | DoS | Important | Windows LSASS |
| CVE-2026-32070 | Common Log File System Driver EoP | EoP | Important | Windows CLFS Driver |
| CVE-2026-27928 | Windows Hello Security Feature Bypass | SFB | Important | Windows Hello |
| CVE-2026-27913 | Windows BitLocker Security Feature Bypass | SFB | Important | Windows BitLocker |
| CVE-2026-27912 | Windows Kerberos EoP | EoP | Important | Windows Kerberos |
| CVE-2026-27910 | Windows Installer EoP | EoP | Important | Windows Installer |
| CVE-2026-27918 | Windows Shell EoP | EoP | Important | Windows Shell |
| CVE-2026-26180 | Windows Kernel EoP | EoP | Important | Windows Kernel |
| CVE-2026-26170 | PowerShell EoP | EoP | Important | Microsoft PowerShell |
| CVE-2026-26174 | Windows WSUS EoP | EoP | Important | Windows WSUS |
| CVE-2026-26156 | Windows Hyper-V RCE | RCE | Important | Windows Hyper-V |
| CVE-2026-26154 | Windows WSUS Tampering | Tampering | Important | Windows WSUS |
| CVE-2026-26153 | Windows EFS EoP | EoP | Important | Windows EFS |
| CVE-2026-26152 | Microsoft Cryptographic Services EoP | EoP | Important | Windows Cryptographic Services |
| CVE-2026-26151 | Remote Desktop Spoofing | Spoofing | Important | Windows Remote Desktop |
| CVE-2026-26149 | Microsoft Power Apps Security Bypass | SFB | Important | Microsoft Power Apps |
| CVE-2026-25250 | Secure Boot Security Feature Bypass | SFB | Important | Windows Secure Boot |
| CVE-2026-23653 | GitHub Copilot & VS Code Info Disclosure | Info Disclosure | Important | GitHub Copilot / VS Code |
| CVE-2026-23657 | Microsoft Word RCE | RCE | Important | Microsoft Office Word |
| CVE-2026-20945 | Microsoft SharePoint Server Spoofing | Spoofing | Important | Microsoft SharePoint |
| CVE-2026-32631 | Git for Windows NTLM Hash Leak | Info Disclosure | Important | GitHub / Git for Windows |
| CVE-2026-34743 | XZ Utils Buffer Overflow | Buffer Overflow | Important | XZ Utils (Mariner) |
| CVE-2026-31789 | OpenSSL Heap Buffer Overflow | Buffer Overflow | Important | OpenSSL |
| CVE-2026-3783 | curl Token Leak (netrc + redirect) | Info Disclosure | Important | curl |
| CVE-2026-3784 | curl Wrong Proxy Connection Reuse | Misconfiguration | Important | curl |
| CVE-2026-21637 | Node.js TLS PSK/ALPN Callback DoS | DoS | Moderate | Node.js |
| CVE-2023-20585 | AMD IOMMU Write Buffer Vulnerability | Tampering | Important | AMD IOMMU |
Recommended Immediate Actions
Security teams should prioritize patches in the following order:
- Immediately: Patch CVE-2026-32201 (SharePoint zero-day actively exploited); patch CVE-2026-33825 (Defender EoP with PoC exploit)
- Within 24–48 hours: Apply Critical patches for CVE-2026-33827 (TCP/IP RCE), CVE-2026-33826 (Active Directory RCE), CVE-2026-33824 (IKE RCE), and all Critical Word/Office RCEs
- Within 7 days: Deploy all remaining Important and Moderate patches, with focus on Kerberos, BitLocker, Windows Hello, and WSUS tampering vulnerabilities
- For DevOps/DevSec teams: Update Git for Windows (CVE-2026-32631), curl, OpenSSL, and XZ Utils components immediately.
Frequently Asked Questions (FAQ)
Q1: What is the most critical vulnerability in Microsoft’s April 2026 Patch Tuesday?
CVE-2026-32201, an actively exploited SharePoint Server Spoofing zero-day, and CVE-2026-33827, a Critical Windows TCP/IP RCE, are the top priorities requiring immediate patching.
Q2: Is there a zero-day vulnerability under active exploitation in April 2026?
Yes, CVE-2026-32201 (SharePoint spoofing) has been confirmed exploited in the wild, and CVE-2026-33825 (Defender EoP) was publicly disclosed with PoC code available before the patch.
Q3: How many vulnerabilities did Microsoft patch in April 2026’s Patch Tuesday?
Microsoft addressed 168 vulnerabilities in total, double the March 2026 count, including 8 Critical, 1 actively exploited zero-day, and 93 Elevation of Privilege flaws.
Q4: Which Microsoft products are most impacted by the April 2026 security updates?
Windows OS components (TCP/IP, Active Directory, Kernel, Kerberos), Microsoft Office/Word, SharePoint Server, .NET Framework, and developer tools, including GitHub Copilot and Visual Studio Code.
Site: http://thecybrdef.com
About the Author
