Secure Cyber Vulnerability Management

15/04/2026
Qualys-Threat-Protect

Microsoft Patch Tuesday, April 2026 Security Update Review

by Deepanshu Jha

April 2026’s Patch Tuesday arrives with Microsoft addressing a fresh set of vulnerabilities across its ecosystem, reinforcing the ongoing need for timely patching in an increasingly threat-heavy landscape. Here’s a quick breakdown of what you need to know.

This month’s release addresses 163 vulnerabilities, including eight critical-severity vulnerabilities. In this month’s updates, Microsoft has addressed one publicly disclosed zero-day vulnerability and one being exploited in the wild.

Microsoft addressed 80 vulnerabilities in Microsoft Edge (Chromium-based) that were patched earlier this month. Microsoft Patch Tuesday, April edition, includes updates for vulnerabilities in Microsoft Graphics Component, Windows Kerberos, Windows Kernel, Windows Hyper-V, Microsoft Windows Speech, Remote Desktop Client, SQL Server, Azure Monitor Agent, Windows BitLocker, Microsoft Management Console, Windows IKE Extension, Microsoft Defender, Input-Output Memory Management Unit (IOMMU), and more.

This month’s release includes fixes for several high-severity issues that could potentially enable remote code execution, privilege escalation, or denial-of-service attacks. As always, timely patch deployment is crucial to reduce exposure and ensure systems remain resilient against exploitation attempts.

The April 2026 Microsoft vulnerabilities are classified as follows:

Vulnerability Category Quantity Severities
Spoofing Vulnerability 8 Important: 8
Denial of Service Vulnerability 9 Critical: 1
Important: 8
Elevation of Privilege Vulnerability 93 Important: 93
Information Disclosure Vulnerability 20 Important: 20
Remote Code Execution Vulnerability 20 Critical: 7
Important: 13
Security Feature Bypass Vulnerability 12 Important: 12 

Zero-day Vulnerabilities Patched in April Patch Tuesday Edition

CVE-2026-33825: Microsoft Defender Elevation of Privilege Vulnerability

Microsoft Defender is a comprehensive, AI-powered security suite that provides malware protection, phishing detection, and web protection for individuals and businesses.

An insufficient access-control granularity flaw in Windows Defender could allow an authenticated attacker to elevate local privileges. Insufficient Granularity of Access Control occurs when security policies are too broad, allowing authorized users to access data or perform actions beyond their intended permissions.

CVE-2026-32201: Microsoft SharePoint Server Spoofing Vulnerability

An improper input validation vulnerability in Microsoft Office SharePoint may allow an unauthenticated attacker to perform network spoofing.

CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before April 28, 2026.

Critical Severity Vulnerabilities Patched in April Patch Tuesday Edition

CVE-2026-32157: Remote Desktop Client Remote Code Execution Vulnerability

A use-after-free flaw in the Remote Desktop Client may allow an unauthenticated attacker to execute code over the network. Successful exploitation of the vulnerability requires an authenticated user on the client to connect to a malicious server.

CVE-2026-33826: Windows Active Directory Remote Code Execution Vulnerability

An improper input validation flaw in Windows Active Directory could allow an authenticated attacker to execute code on an adjacent network. An attacker must send a specially crafted RPC call to an RPC host to exploit the vulnerability.

CVE-2026-23666: .NET Framework Denial of Service Vulnerability

A race condition flaw in the .NET Framework could allow an unauthenticated attacker to deny service to network clients.

CVE-2026-32190: Microsoft Office Remote Code Execution Vulnerability

A use-after-free vulnerability in Microsoft Office may allow an unauthenticated attacker to execute code locally.

CVE-2026-33114: Microsoft Word Remote Code Execution Vulnerability

A pointer dereference vulnerability in Microsoft Word allows an unauthenticated attacker to execute code locally.

CVE-2026-33115: Microsoft Word Remote Code Execution Vulnerability

A use-after-free vulnerability in Microsoft Office Word could allow an unauthenticated attacker to execute code locally.

CVE-2026-33827: Windows TCP/IP Remote Code Execution Vulnerability

A race condition flaw in Windows TCP/IP may allow an unauthenticated attacker to execute code over a network. An attacker could send a specially crafted IPv6 packet to a Windows node with IPSec enabled, leading to remote code execution.

CVE-2026-33824: Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability

Windows Internet Key Exchange is a foundational network security protocol used by Windows to set up secure, encrypted IPsec tunnels, primarily for VPN connections.

An unauthenticated attacker could send specially crafted packets to a Windows machine with Internet Key Exchange version 2 enabled, potentially leading to remote code execution.

Other Microsoft Vulnerability Highlights

  • CVE-2026-26151 is a spoofing vulnerability in Remote Desktop. Successful exploitation of the vulnerability allows an unauthenticated attacker to perform network spoofing.
  • CVE-2026-27906 is a security feature bypass vulnerability in Windows Hello. Successful exploitation of the vulnerability may allow an authenticated attacker to bypass a local security feature.
  • CVE-2026-27908 is an elevation-of-privilege vulnerability in the Windows TDI Translation Driver (tdx.sys). A use-after-free flaw may allow an authenticated attacker to gain SYSTEM privileges.
  • CVE-2026-27921 is an elevation-of-privilege vulnerability in the Windows TDI Translation Driver (tdx.sys). An attacker may exploit the vulnerability to gain SYSTEM privileges.
  • CVE-2026-32093 is an elevation-of-privilege vulnerability in the Windows Function Discovery Service (fdwsd.dll). An authenticated attacker who successfully exploited this vulnerability could gain administrator privileges.
  • CVE-2026-32152 and CVE-2026-32154 are elevation-of-privilege vulnerabilities in the Desktop Window Manager. A use-after-free flaw may allow an authenticated attacker to gain SYSTEM privileges.
  • CVE-2026-0390 is a security feature bypass vulnerability in the Windows Boot Loader. Successful exploitation of the vulnerability may allow an authenticated attacker to bypass a local security feature.
  • CVE-2026-32202 is a spoofing vulnerability in the Windows Shell. An unauthenticated attacker may exploit the vulnerability to perform network spoofing.
  • CVE-2026-26169 is an information disclosure vulnerability in Windows Kernel Memory. An authenticated attacker may exploit the vulnerability to disclose information locally.
  • CVE-2026-26173 is an elevation-of-privilege vulnerability in the Windows Ancillary Function Driver for WinSock. A race condition flaw may allow an authenticated attacker to gain SYSTEM privileges.
  • CVE-2026-27909 is an elevation-of-privilege vulnerability in the Windows Search Service. A use-after-free flaw may allow an authenticated attacker to gain SYSTEM privileges.
  • CVE-2026-27913 is a security feature bypass vulnerability in the Windows BitLocker. An improper input validation flaw may allow an unauthenticated attacker to bypass a local security feature.
  • CVE-2026-27914 is an elevation-of-privilege vulnerability in the Microsoft Management Console. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges.
  • CVE-2026-32070 is an elevation-of-privilege vulnerability in the Windows Common Log File System Driver. A use-after-free flaw may allow an authenticated attacker to gain SYSTEM privileges.
  • CVE-2026-32162 is an elevation-of-privilege vulnerability in Windows COM. Successful exploitation of the vulnerability may allow an unauthenticated attacker to gain SYSTEM privileges.
  • CVE-2026-32225 is a security feature bypass vulnerability in Windows Shell. Successful exploitation of the vulnerability may allow an unauthenticated attacker to bypass a network security feature.
  • CVE-2026-32075 is an elevation-of-privilege vulnerability in the Windows UPnP Device Host. Successful exploitation of the vulnerability may allow an authenticated attacker to gain administrator privileges.

Microsoft Release Summary

This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Windows Boot Loader, Windows COM, Windows Recovery Environment Agent, Windows Management Services, Microsoft Office SharePoint, GitHub Copilot and Visual Studio Code, Microsoft Office Word, .NET Framework, Windows Virtualization-Based Security (VBS) Enclave, Applocker Filter Driver (applockerfltr.sys), Microsoft PowerShell, Microsoft Power Apps, Windows Remote Desktop, Windows Cryptographic Services, Windows Encrypting File System (EFS), Windows Server Update Service, Windows Local Security Authority Subsystem Service (LSASS), Windows Remote Desktop Licensing Service, Windows Sensor Data Service, Windows OLE, Windows Shell, Windows Push Notifications, Windows Ancillary Function Driver for WinSock, Windows Kernel Memory, .NET, Windows Boot Manager, Windows Client Side Caching driver (csc.sys), Windows Advanced Rasterization Platform, Microsoft Brokering File System, Windows RPC API, Windows Projected File System, Windows Hello, Windows Storage Spaces Controller, Windows TDI Translation Driver (tdx.sys), Microsoft Windows Search Component, Windows Installer, Windows User Interface Core, Windows Universal Plug and Play (UPnP) Device Host, Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys), Windows TCP/IP, Desktop Window Manager, Windows Cloud Files Mini Filter Driver, Windows LUAFV, Windows GDI, Windows SSDP Service, Windows Common Log File System Driver, Windows Active Directory, Windows File Explorer, Windows WalletService, Windows Remote Procedure Call, Function Discovery Service (fdwsd.dll), Windows Biometric Service, Windows Speech Brokered Api,  Azure Logic Apps, Microsoft Windows, Windows Snipping Tool, Microsoft High Performance Compute Pack (HPC), Microsoft Office Excel, Microsoft Office, Windows Admin Center, Microsoft Office PowerPoint, .NET and Visual Studio, Universal Plug and Play (upnp.dll), Windows Redirected Drive Buffering, Windows Win32K – ICOMP, Windows USB Print Driver, Windows HTTP.sys, Windows Container Isolation FS Filter Driver, Windows Print Spooler Components, Microsoft Dynamics 365 (on-premises), Windows Win32K – GRFX, .NET, .NET Framework, Visual Studio, Microsoft Edge (Chromium-based), Node.js, Windows Secure Boot, and GitHub Repo: Git for Windows.

Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)

Qualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledgebase (KB).

You can see all your impacted hosts by these vulnerabilities using the following QQL query:

vulnerabilities.vulnerability: ( qid: 92369 or qid: 92370 or qid: 92371 or qid: 92372 or qid: 92373 or qid: 92374 or qid: 92375 or qid: 92376 or qid: 92377 or qid: 92378 or qid: 92380 or qid: 92381 or qid: 110522 or qid: 110523 or qid: 110524 or qid: 387067 or qid: 387068 or qid: 387069 or qid: 387070 or qid: 387071 or qid: 5010966 )

Rapid Response with TruRisk™ Eliminate

Patch to the Latest Version

VMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches with one click.

The following QQL will return the missing patches for this Patch Tuesday:

( qid: 92369 or qid: 92370 or qid: 92371 or qid: 92372 or qid: 92373 or qid: 92374 or qid: 92375 or qid: 92376 or qid: 92377 or qid: 92378 or qid: 92380 or qid: 92381 or qid: 110522 or qid: 110523 or qid: 110524 or qid: 387067 or qid: 387068 or qid: 387069 or qid: 387070 or qid: 387071 or qid: 5010966 )

Visit the April 2026 Security Updates to access the full description of each vulnerability and the systems it affects.

Qualys customers can scan their networks with QIDs 92369, 92370, 92371, 92372, 92373, 92374, 92375, 92376, 92377, 92378, 92380, 92381, 110522, 110523, 110524, 387067, 387068, 387069, 387070, 387071, and 5010966 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References:

https://msrc.microsoft.com/update-guide

https://msrc.microsoft.com/update-guide/releaseNote/2026-Apr

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32157

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33826

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23666

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32190

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33114

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33115

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33827

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33824

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-33825

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-32201

Comments are closed.

You may also like