Microsoft April 2026 Patch Tuesday Fixes 167 Flaws, Three Zero-Days Including Actively Exploited SharePoint Bug
Microsoft's April 2026 Patch Tuesday addresses 167 vulnerabilities, including three zero-days: an actively exploited SharePoint spoofing flaw, a publicly disclosed Defender privilege escalation, and a critical for VPN-adjacent IKE remote code execution.
Microsoft released its April 2026 Patch Tuesday update on April 14, addressing 167 vulnerabilities across its product portfolio. Among the patches are three zero-day vulnerabilities, one of which is being actively exploited in the wild. The update also includes fixes for 80 browser vulnerabilities that were published separately late last week, marking a record volume for a single browser update.
The most urgent vulnerability is CVE-2026-32201, an exploited-in-the-wild spoofing vulnerability in Microsoft SharePoint. Despite a relatively low CVSS v3 base score of 6.5, Microsoft has confirmed active exploitation. The advisory notes CWE-20 (Improper Input Validation) and low impact to confidentiality and integrity, but security experts warn that attackers often chain such flaws with other vulnerabilities to achieve greater impact. Patches are available for all supported SharePoint versions, including SharePoint 2016, which reaches end of extended support on July 14, 2026.
CVE-2026-33825 is a local privilege escalation vulnerability in Microsoft Defender that has been publicly disclosed. Successful exploitation allows an attacker to gain SYSTEM privileges. Microsoft notes that the Defender Antimalware Platform updates automatically by default, so no manual action is required for most users. Systems that have disabled Microsoft Defender are not vulnerable, though Microsoft recommends running a suitable third-party alternative if Defender is turned off.
The third zero-day, CVE-2026-33824, is a critical unauthenticated remote code execution vulnerability in Windows Internet Key Exchange (IKE) Services Extensions. An attacker can exploit this flaw by sending specially crafted packets to a Windows machine with IKE v2 enabled, potentially achieving remote code execution without authentication. Since IKE is used for secure tunnel negotiation, such as for VPNs, it is necessarily exposed to untrusted networks and reachable in a pre-authorization context. While the vulnerability is unlikely to spawn a widespread worm, it presents significant risk for initial access. Microsoft has provided mitigations for those unable to patch immediately, including restricting UDP traffic. All Windows versions back to Server 2016 and Windows 10 1607 LTSC receive patches.
The advisory credits both the WARP and MORSE teams at Microsoft for discovering CVE-2026-33824. This marks the first explicit mention of WARP in a Microsoft security advisory, which is speculated to be an internal designator for the Windows Enterprise Security Team.
In addition to the zero-days, the Patch Tuesday release includes fixes for 19 vulnerabilities that Microsoft rates as more likely to be exploited in the future. The overall volume of vulnerabilities is significantly higher than usual, driven in part by a surge in browser-related flaws. Microsoft attributes this increase to the expanding capabilities of AI in vulnerability discovery, a trend that security professionals expect to continue to monitor.
Microsoft also announced lifecycle updates, noting that extended support ends April 14, 2026 for several legacy enterprise tools, including Dynamics C5 2016, Dynamics NAV 2016, App-V 5.5.0 and App-V 5.1, UE-V 2.1, and BitLocker Administration and Monitoring 2.5 SP1. Additionally, .NET 9 STS has been granted a six-month extension, now reaching end of support on November 10, 2026.