Microsoft's April 2026 Patch Tuesday is the second-largest monthly security update in company history, addressing 167 CVEs across Windows, SharePoint, Office, and a wide range of other Microsoft products. The release includes one actively exploited zero-day and a critical unauthenticated RCE vulnerability in Windows IKE with a CVSS score of 9.8.
Patch Volume and Severity Breakdown
| Severity | Count |
|---|---|
| Critical | 8 |
| Important | 154 |
| Moderate | 1 |
| Total | 167 |
Vulnerability type distribution:
- Elevation of Privilege: ~57%
- Information Disclosure: ~12%
- Remote Code Execution: ~12%
- Spoofing, Denial of Service, Security Feature Bypass: remainder
Only October 2025 (also 167 CVEs, per some counts) rivals this volume. The scale of this update reflects both Microsoft's expanding product surface area and the sustained pace of vulnerability research across the industry.
Zero-Days
CVE-2026-32201 — Microsoft SharePoint Server Spoofing (Actively Exploited)
CVSS: 6.5 (Important)
This is the only actively exploited zero-day in April's release. The flaw affects SharePoint Server 2016, 2019, and Subscription Edition and stems from improper input validation. Successful exploitation allows an attacker to:
- View sensitive information (Confidentiality impact)
- Make changes to disclosed information (Integrity impact)
Microsoft has not publicly disclosed the attack vector, the specific organizations targeted, or the identity of the researcher who reported the bug. CISA is expected to add this CVE to its Known Exploited Vulnerabilities catalog in the coming days, which would impose a mandatory 21-day patch deadline on US federal agencies.
Organizations running on-premises SharePoint deployments should treat this as high priority.
BlueHammer — Microsoft Defender Privilege Escalation
A privilege escalation to SYSTEM vulnerability in Microsoft Defender received a fix delivered automatically via the Microsoft Defender Antimalware Platform update v4.18.26050.3011. This vulnerability (nicknamed "BlueHammer") had public exploit code published to GitHub on April 3rd by a researcher under the alias "Chaotic Eclipse." Microsoft's advisory does not reference the public exploit code, but the publication represents a period of elevated risk between exploit release and patch deployment for organizations with slow update cycles.
Notable Critical CVEs
CVE-2026-33824 — Windows IKE Service Extensions RCE
CVSS: 9.8 (Critical)
An unauthenticated attacker can send crafted packets to a Windows IKEv2 target to achieve remote code execution. This affects the Windows IKE (Internet Key Exchange) service, which handles VPN and IPsec negotiation. The unauthenticated attack vector, combined with the near-maximum CVSS score, makes this a significant concern for any organization running Windows-based VPN infrastructure exposed to untrusted networks.
Attack chain:
Attacker → Crafted IKEv2 packet → Windows IKE service → RCE (no authentication)
CVE-2026-33826 — Windows Active Directory RCE
CVSS: 8.0 (Important) — Exploitation More Likely
A remote code execution vulnerability in Windows Active Directory. Microsoft rates this as "Exploitation More Likely," indicating the company believes the technical bar for exploitation is low enough that threat actors are likely to develop weaponized exploits in the near term. Domain controller administrators should prioritize this patch.
CVE-2026-27913 — Windows BitLocker Secure Boot Bypass
CVSS: 7.7 (Important)
A Secure Boot bypass affecting Windows BitLocker. This type of vulnerability can allow attackers with physical access to a device — or with local administrator privileges — to circumvent BitLocker encryption protections, potentially exposing encrypted data or enabling unauthorized boot sequences.
Other Vendor Patches (Coordinated Release)
April's patch cycle extends beyond Microsoft:
Adobe: Released patches for Illustrator, Photoshop, and Reader/Acrobat. Notably, an actively exploited Adobe Reader/Acrobat zero-day (CVE-2026-34621) that has been exploited via malicious PDFs since December 2025 received a long-awaited fix. Organizations relying on Adobe Reader should update immediately.
Fortinet: Released an emergency patch for CVE-2026-35616, a critical vulnerability in FortiClient EMS that has been actively exploited in the wild. Organizations running FortiClient EMS should treat this as an immediate priority regardless of the broader Patch Tuesday context.
Prioritization Guidance
For most organizations, the recommended update priority for April 2026 is:
- CVE-2026-32201 (SharePoint) — Actively exploited zero-day; patch on-premises SharePoint servers within 24–72 hours
- CVE-2026-33824 (Windows IKE RCE, CVSS 9.8) — Unauthenticated network-adjacent RCE; prioritize internet-facing Windows VPN infrastructure
- BlueHammer Defender update — Auto-delivered for most environments; verify Defender Platform version is 4.18.26050.3011 or later
- CVE-2026-33826 (AD RCE) — "Exploitation More Likely" rating warrants fast tracking
- Adobe Reader patch — Actively exploited zero-day with months of in-the-wild exploitation
As always, organizations should test patches in staging environments before broad deployment where possible, but the presence of actively exploited vulnerabilities in this release argues for expedited rollout schedules.