Summary: Microsoft released its April 2026 Patch Tuesday addressing 165 security vulnerabilities across Windows, Office, SharePoint, Microsoft Defender, .NET Framework, Azure, SQL Server and other components.

The April release brings in relevant update and significant accessibility improvements, display and hardware enhancements, and several quality-of-life additions across Settings and File Explorer. 

The first of the two zero-days is CVE-2026-32201, a spoofing vulnerability leading to cross-site scripting (XSS) in Microsoft SharePoint Server.The issue stems from an input validation failure that lets an attacker inject malicious scripts through improperly sanisised input fields.

Elevation of privilege (EoP) vulnerabilities accounted for 57.1% of the vulnerabilities patched this month, followed by information disclosure vulnerabilities and remote code execution (RCE) vulnerabilities at 12.3% each.

OEM	Microsoft
Severity	Critical
Date of Announcement	2026-04-14
No. of Vulnerability	165
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

This is the second-largest Patch Tuesday release in Microsoft’s history. The update includes two zero-day vulnerabilities one actively exploited in the wild (SharePoint spoofing) and one publicly disclosed (Microsoft Defender privilege escalation linked to the BlueHammer exploit).

Here are the CVE addresses for Microsoft April 2026:

• 165 Microsoft CVEs
• 82 Non Microsoft CVEs

Breakdown of April 2026 Vulnerabilities

• 93 Elevation of Privilege (EoP)
• 20 Remote Code Execution
• 21 Information Disclosure
• 10 Denial of Service (DoS)
• 9 Spoofing
• 13 Security Feature Bypass

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Windows Internet Key Exchange (IKE) Service Extensions RCE	CVE-2026-33824	Windows IKE Service	Critical	9.8
Windows TCP/IP Remote Code Execution (Wormable via IPv6)	CVE-2026-33827	Windows TCP/IP Stack	Critical	9.8
Windows Active DirectoryRemote Code Execution	CVE-2026-33826	Windows Active Directory	Critical	9.1
Remote Desktop Client Remote Code Execution	CVE-2026-32157	Remote Desktop Client	High	8.8
Microsoft Office Remote Code Execution (Preview Pane)	CVE-2026-32190	Microsoft Office	High	8.4
Microsoft Word Remote Code Execution (Preview Pane)	CVE-2026-33114	Microsoft Word	High	8.4
Microsoft  Word Remote Code Execution (Preview Pane)	CVE-2026-33115	Microsoft Word	High	8.4

Technical Summary

This month’s Patch Tuesday is largely driven by Elevation of Privilege vulnerabilities, which make up a significant portion of the fixes and can be leveraged by attackers after initial access to escalate privileges and move laterally.

The release also includes several critical remote code execution issues in core Windows components. Notably, vulnerabilities such as those affecting the Windows IKE service and TCP/IP stack demonstrate the risk of unauthenticated or low-interaction exploitation, particularly in network-exposed scenarios. Other issues in Office, Word, and Remote Desktop highlight continued risk from user-driven attack vectors such as malicious documents and crafted connection files.

The update also addresses zero-day vulnerabilities, including one actively exploited and another publicly disclosed prior to patching, increasing the urgency for remediation.

Key vulnerabilities in this cycle show a mix of attack paths from preview pane-based document exploitation to wormable network flaws and Active Directory-based code execution through authenticated access.

This combination of network-level and user-interaction-based risks, along with the volume of privilege escalation issues, makes this a high-priority update cycle. Organizations should prioritize testing and deployment to reduce exposure across both endpoint and infrastructure layers.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2026-33824	Windows IKE Service Extensions	Unauthenticated attacker can send crafted UDP packets to IKEv2-enabled systems (UDP 500/4500), achieving full remote code execution with no prior access required	Remote Code Execution
CVE-2026-32190	Microsoft Office	Exploitation via preview pane allows execution of malicious payload without explicit user interaction beyond viewing file	Remote Code Execution
CVE-2026-33114 / 33115	Microsoft Word	Malicious document processed via preview triggers RCE; commonly used in phishing delivery chains	Remote Code Execution
CVE-2026-32157	Remote Desktop Client	RCE triggered when user connects using a crafted RDP file; attack surface includes lateral movement scenarios	Remote Code Execution
CVE-2026-33827	Windows TCP/IP Stack	Race condition in IPv6/IPsec stack enables unauthenticated wormable RCE across enterprise networks	Remote Code Execution
CVE-2026-33826	Windows Active Directory	Authenticated attacker executes code via crafted RPC calls within domain; high likelihood of privilege chaining	Remote Code Execution

Key Affected Products and Services

April 2026 updates address vulnerabilities across:

• Windows Core Components

Kernel, TCP/IP stack, Active Directory, IKE Service, BitLocker, NTFS, SMB, and Remote Desktop components are impacted, including critical RCE and privilege escalation vulnerabilities.

• Microsoft Office Suite

Word, Excel, and PowerPoint are affected by multiple remote code execution vulnerabilities, including cases exploitable through the preview pane.

• SharePoint & Collaboration

SharePoint Server (2016, 2019, Subscription Edition) is impacted, including an actively exploited zero-day vulnerability requiring immediate attention.

• Microsoft Defender

A publicly disclosed elevation of privilege vulnerability is addressed through updates to the Antimalware Platform.

• .NET Framework & Developer Tools

.NET and related developer components, including Visual Studio, are affected by denial of service and privilege escalation vulnerabilities.

• Azure & Cloud Services

Azure components such as Logic Apps and monitoring agents include vulnerabilities related to information disclosure and privilege escalation.

• SQL Server

Multiple vulnerabilities affecting SQL Server components, including privilege escalation and remote code execution risks, are addressed.

Remediation:

• Apply April 2026 security updates on all Windows systems as a priority

Here are some recommendations

• Prioritize patching internet-facing and critical services, particularly SharePoint and core Windows components.
• Ensure Microsoft Defender and other security components are updated to the latest platform versions.
• Review network exposure and apply temporary mitigations where patching may be delayed.
• Monitor for suspicious activity, especially related to privilege escalation, remote code execution, and authentication anomalies.
• Validate that systems are aligned with ongoing platform security updates, including Secure Boot-related changes.

Conclusion:
April 2026 Patch Tuesday addresses a significant number of vulnerabilities across Windows and related Microsoft products, including an actively exploited issue, multiple critical remote code execution flaws, and a high volume of privilege escalation vulnerabilities. Given the breadth of affected components and the potential for attack chaining, organizations should prioritize timely testing and deployment of updates, especially for critical and externally exposed systems.

References:

• https://msrc.microsoft.com/update-guide/en-us/releaseNote/2026-Apr
• https://www.tenable.com/blog/microsofts-april-2026-patch-tuesday-addresses-163-cves-cve-2026-32201
• https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/