News
Microsoft Issues Second Biggest Patch Tuesday Ever in April
Microsoft this week released one of the largest Patch Tuesday bundles in its history, delivering fixes for 163 new Microsoft CVEs in a month that includes three zero-days and eight Critical-rated vulnerabilities. The April haul touches a wide range of enterprise technologies, from SharePoint Server and Microsoft Defender to Word, Remote Desktop, Active Directory and Windows TCP/IP.
The month's massive haul includes three zero-day issues and eight Critical-rated vulnerabilities across Office, Word, Remote Desktop, Active Directory, Windows networking and .NET Framework.
"Microsoft's April 2026 Patch Tuesday release contains fixes for 163 CVEs, making it the second biggest Patch Tuesday ever, just shy of the record set in October 2025 at 167 CVEs," said Satnam Narang, senior staff research engineer at Tenable, "At this pace, 2026 is on track to affirm that 1,000+ Patch Tuesday CVEs annually is the norm."
Narang added that elevation-of-privilege bugs continued to dominate the monthly mix, accounting for 57 percent of the April total, while remote code execution flaws dropped to 12 percent, tied with information disclosure bugs.
Highest Priority: Zero-Day Bugs
The first zero-day drawing immediate attention is CVE-2026-32201, a Microsoft SharePoint Server spoofing vulnerability that Microsoft marked as exploited in the wild. Microsoft hasn't offered much public detail on the bug, but noted that attackers could view information or make changes to disclosed information.
Mike Walters, president and co-founder of Action1, said the SharePoint bug's real danger is the trust built into many enterprise collaboration environments. "The flaw lets attackers fake trust at scale: what looks legitimate may actually be a carefully crafted deception," he said.
The second zero-day is CVE-2026-5281, a Chromium use-after-free vulnerability in Dawn that Microsoft listed as in active eploit. While it comes through the Chromium side of the Microsoft ecosystem rather than through Windows alone, it still carries weight for organizations managing Microsoft Edge deployments and other browser-dependent enterprise workflows.
The third zero-day is CVE-2026-33825, a Microsoft Defender elevation-of-privilege vulnerability that was publicly disclosed (but not yet seen in the wild) before Patch Tuesday. Narang said its timing "aligns with the recent disclosure of the BlueHammer elevation of privilege vulnerability in Defender." He added, "While we don't have confirmation of the connection, this one warrants attention."
Jack Bicer, director of vulnerability research at Action1, said this third zero-day could be especially useful to attackers who already have some level of access inside an environment. "This vulnerability in Microsoft Defender stems from insufficient granularity in access control, and turns limited access into total control -- what starts as a foothold can quickly become full system domination," he said.
Next Priority: Critical Bulletins
Beyond the zero-days, Microsoft also patched eight Critical vulnerabilities this month. Those are CVE-2026-23666 in .NET Framework; CVE-2026-32190 in Microsoft Office; CVE-2026-33114 and CVE-2026-33115 in Microsoft Word; CVE-2026-32157 in Remote Desktop Client; CVE-2026-33826 in Windows Active Directory; CVE-2026-33824 in Windows Internet Key Exchange service extensions; and CVE-2026-33827 in Windows TCP/IP.
Several of those issues stand out because they align closely with common enterprise attack paths. The Office and Word flaws are remote code execution bugs that can be triggered through malicious documents, and researchers said the Preview Pane can be part of the attack path in multiple cases. The Remote Desktop Client flaw, CVE-2026-32157, affects a trusted administration tool used widely in enterprise environments. The Active Directory bug, CVE-2026-33826, raises the stakes because of the central role directory services play in identity and privilege management.
The networking bugs may get even faster attention. CVE-2026-33827, the Windows TCP/IP remote code execution vulnerability, is wormable on systems with IPv6 and IPSec enabled. CVE-2026-33824, the IKE service extensions flaw, has also been flagged as another potentially wormable issue, though Microsoft said blocking UDP ports 500 and 4500 at the perimeter can mitigate external exposure.
Alex Vovk, CEO and co-founder of Action1, summed up the concern around CVE-2026-33827 this way: "One malformed packet is all it takes: this flaw lets attackers turn network access into full system compromise without ever logging in."
For patching teams, that leaves little ambiguity about April's priorities. SharePoint servers, Defender deployments, browser fleets, Office-heavy user groups, RDP-reliant administrators and network-exposed Windows infrastructure all landed on the urgent list this month. A complete list of security bulletins can be found here.