Microsoft April 2026 Patch Tuesday Fixes 165 Flaws, Including Eight Critical and One Actively Exploited SharePoint Bug
Microsoft's April 2026 Patch Tuesday addresses 165 vulnerabilities, eight rated critical, with one SharePoint spoofing flaw already under active exploitation.
Microsoft released its April 2026 Patch Tuesday update on April 14, 2026, addressing 165 vulnerabilities across its product portfolio. Eight of the flaws are rated critical, and one — CVE-2026-32201 in Microsoft Office SharePoint — has already been detected as exploited in the wild, according to Cisco Talos.
The critical vulnerabilities span a wide range of attack surfaces. CVE-2026-23666 is a denial-of-service flaw in the .NET framework that could allow an attacker to crash services over the network. CVE-2026-32157 is a use-after-free in the Remote Desktop Client that leads to remote code execution when a user connects to a malicious server. CVE-2026-32190, CVE-2026-33114, and CVE-2026-33115 are all critical use-after-free or untrusted pointer dereference bugs in Microsoft Office and Word, each requiring local code execution to exploit.
Two critical flaws target core Windows networking components. CVE-2026-33824 is a double-free vulnerability in the Windows Internet Key Exchange (IKE) extension that allows an unauthenticated attacker to send specially crafted packets to a machine with IKEv2 enabled, achieving remote code execution. CVE-2026-33827 is a race condition in Windows TCP/IP that can be triggered by sending crafted IPv6 packets to a node with IPSec enabled. CVE-2026-33826 is a critical input validation bug in Windows Active Directory that requires an authenticated attacker in the same restricted domain to send malicious RPC calls.
The most urgent patch is for CVE-2026-32201, an important-rated spoofing vulnerability in Microsoft Office SharePoint that is already being exploited. An attacker can view sensitive information and make unauthorized changes. Microsoft has not yet released full details of the attack chain, but organizations should prioritize this update.
In addition to the critical and exploited flaws, Microsoft flagged more than 20 other vulnerabilities as "more likely" to be exploited. These include a UEFI Secure Boot bypass (CVE-2026-0390), a Remote Desktop spoofing bug (CVE-2026-26151), and multiple elevation-of-privilege vulnerabilities in the Windows Ancillary Function Driver for WinSock, the Desktop Window Manager, and the Common Log File System Driver. Several BitLocker and Windows Hello security feature bypasses were also listed.
Cisco Talos has released Snort rules to detect exploitation attempts against several of the critical vulnerabilities, including CVE-2026-33824 (IKE double-free) and CVE-2026-33827 (TCP/IP race condition). Administrators are urged to apply the patches immediately, especially for internet-facing systems and SharePoint servers. The April update marks one of the larger Patch Tuesday releases of 2026, reflecting the growing complexity of Microsoft's attack surface.