Microsoft has released its April 2026 Patch Tuesday updates, resolving 167 security vulnerabilities, including two zero-day flaws, one publicly disclosed and one actively exploited in the wild.
Among the fixes are eight Critical vulnerabilities, seven of which are remote code execution (RCE) flaws, while the remaining issue enables a denial-of-service (DoS) condition.
Vulnerability Breakdown
The patched vulnerabilities fall into the following categories:
- 93 Elevation of Privilege
- 13 Security Feature Bypass
- 20 Remote Code Execution
- 21 Information Disclosure
- 10 Denial of Service
- 9 Spoofing
Zero-Day Vulnerabilities Patched
Microsoft resolved two zero-day vulnerabilities this month. A zero-day is defined as a flaw that is publicly disclosed or actively exploited before an official patch is available.
Actively Exploited Zero-Day
CVE-2026-32201 – Microsoft SharePoint Server Spoofing Vulnerability
This vulnerability was exploited in real-world attacks. According to Microsoft, improper input validation in SharePoint allows an unauthenticated attacker to perform spoofing attacks over a network.
Successful exploitation could allow attackers to:
- View sensitive information (confidentiality impact)
- Modify disclosed data (integrity impact)
Microsoft has not shared technical details on the attacks or the party responsible for disclosure.
Publicly Disclosed Zero-Day
CVE-2026-33825 – Microsoft Defender Elevation of Privilege Vulnerability
This flaw allows local attackers to gain SYSTEM-level privileges. It has been addressed in Microsoft Defender Antimalware Platform version 4.18.26050.3011, which is being automatically deployed.
Users can manually update Defender by navigating to: Windows Security → Virus & threat protection → Protection updates → Check for updates
Microsoft credited Zen Dodd and Yuanpei Xu (HUST) with Diffract for discovering the issue.
Microsoft Office Risks Require Urgent Attention
This month’s updates also address multiple remote code execution vulnerabilities in Microsoft Office, including Word and Excel. Several of these flaws can be triggered via the Preview Pane or by opening specially crafted documents.
Given the attack vectors, organizations and individuals who frequently receive email attachments are strongly advised to prioritize Office updates.
Microsoft Office Vulnerabilities
Multiple RCE vulnerabilities affect:
- Microsoft Word
- Microsoft Excel
- Microsoft PowerPoint
Attack Vectors:
- Malicious documents
- Preview pane exploitation
Security Updates from Other Vendors (April 2026)
Several other major vendors released critical updates this month:
- Adobe patched multiple products, including an actively exploited Reader/Acrobat zero-day.
- Apache fixed a 13-year-old RCE vulnerability in ActiveMQ Classic.
- Apple expanded security update coverage for devices still running iOS 18.
- Cisco addressed multiple issues, including an IMC authentication bypass.
- Fortinet patched a critical, actively exploited FortiClient EMS vulnerability (CVE-2026-35616).
- Google fixed an actively exploited Chrome zero-day in Android’s April bulletin.
- SAP, Marimo, and wolfSSL also released high-impact security updates.
- GPUBreach, a new rowhammer-style attack capable of full system compromise was disclosed.
Recommended Actions
Prioritize patching immediately, especially:
- SharePoint Server
- Microsoft Defender
- Microsoft Office suite
Monitor for indicators of compromise (IoCs) tied to spoofing and privilege escalation
Restrict document preview and external attachment handling where possible
Apply defense-in-depth controls (EDR, network segmentation, least privilege)
The Security Updates
Below is the complete list of resolved vulnerabilities in the April 2026 Patch Tuesday updates.
.png)
.png)