If March 2026 was a marathon of infrastructure updates, April is a massive avalanche of patches.
Microsoft’s fourth Patch Tuesday of 2026 has arrived, addressing a massive 165 vulnerabilities in total. The sheer volume demands attention. It contains two 0-day vulnerabilities — one of which is actively exploited in the wild — and eight critical flaws affecting a wide range of products, including Office, SharePoint, Microsoft Defender, and Azure.
Here is the breakdown of what you need to know, what to patch first, and what might break.
The April 2026 Patch Day overview
Executive Summary
- Release Date: April 14, 2026
- Total Vulnerabilities: 165
- Critical Vulnerabilities: 8
- Zero-Days: 2 (SharePoint [Actively Exploited], Microsoft Defender [Publicly Disclosed])
Key Action Item: Administrators must prioritize patching internet-facing SharePoint servers due to the actively exploited spoofing zero-day. Simultaneously, network infrastructure and Active Directory components need immediate updates to mitigate several highly critical Remote Code Execution vulnerabilities.
Important Patches
- CVE-2026-32201 — Microsoft Office SharePoint Spoofing Vulnerability
- CVE-2026-33825 — Microsoft Defender Elevation of Privilege Vulnerability
- CVE-2026-33824 — Windows Internet Key Exchange (IKE) Extension Remote Code Execution Vulnerability
- CVE-2026-33827 — Windows TCP/IP Remote Code Execution Vulnerability
- CVE-2026-33826 — Windows Active Directory Remote Code Execution Vulnerability
- CVE-2026-23666 — .NET Denial of Service Vulnerability
Cumulative Updates
| Product, Version | Links | Notes |
|---|---|---|
| Windows 11 & Windows 10 | KB5082200 (Windows 10) KB5083768 (Windows 11, 26H1) KB5083769 (Windows 11, version 25H2 and 24H2) | Security updates addressing OS-level RCEs in TCP/IP, IKE, and Active Directory components. Also resolves numerous Elevation of Privilege (EoP) flaws across Windows Kernel, Boot Loader, and BitLocker. |
| Microsoft SharePoint Server | Patches for SharePoint 2016, 2019, and Subscription Edition to address the actively exploited CVE-2026-32201 spoofing flaw. | |
| Microsoft Office | Security updates addressing multiple Critical Use-After-Free and Untrusted Pointer Dereference vulnerabilities resulting in local code execution |
Deep Dive: The Critical Vulnerabilities
Microsoft confirmed that it patched two 0-day vulnerabilities this Patch Day and several critical remote code execution flaws.
Here is the critical overview:
CVE-2026-32201 (Microsoft Office SharePoint Spoofing Vulnerability)
This actively exploited zero-day allows an unauthorized attacker to perform spoofing over a network due to improper input validation in Microsoft Office SharePoint. An attacker who successfully exploits this can view sensitive information and make changes to disclosed information.
CVE-2026-33825 (Microsoft Defender Elevation of Privilege Vulnerability)
A publicly disclosed zero-day flaw in Microsoft Defender that allows privilege escalation to SYSTEM privileges. Microsoft has addressed the flaw in the Microsoft Defender Antimalware Platform update version 4.18.26050.3011, which should be downloaded to (most) systems automatically.
CVE-2026-33824 (Windows Internet Key Exchange (IKE) Extension RCE)
A critical double-free vulnerability in the Windows IKE extension. An unauthenticated attacker can send specially crafted packets to a Windows machine with IKE version 2 enabled to potentially achieve remote code execution. If IKE is not in use, blocking inbound traffic on UDP ports 500 and 4500 acts as a mitigation.
CVE-2026-33827 (Windows TCP/IP Remote Code Execution)
A critical race condition vulnerability in Windows TCP/IP that can result in remote code execution. An unauthenticated actor can send specially crafted IPv6 packets to a Windows node where IPSec is enabled to potentially achieve RCE.
CVE-2026-33826 (Windows Active Directory Remote Code Execution)
A critical improper input validation flaw in Windows Active Directory. It allows an authenticated attacker to execute code over an adjacent network.
First Steps: Your Patch Tuesday Strategy
- Prioritize the SharePoint zero-day
- Address network and directory risks
- Update Office installations
“massive 165 vulnerabilities”
Claude’s been busy.
And if Copilot is fixing them, Claude will be even busier next time. It is a cycle. They finally found something for CoPilot to do.
Hi Martin, thanks again for your overview so I can understand what I’m doing when I install 165 patches (a ridiculous number, by the way, but that’s beside the point).
It’s a shame you didn’t include the Excel sheet link with the list of all Microsoft patches for us again.
Would it perhaps be a good idea if you included a scale from 1 to 10 indicating how safe it is to install each patch?
Otherwise, I’m still busy completely banning Microsoft and Google products from my system because of the increasingly extreme things they think they can get away with.
Mint works like a charm, Thunderbird has never worked better, and LibreOffice is truly top-notch!
I’m now putting the finishing touches on replacing Windows-specific applications (e.g., dnGrep) with minimally equivalent alternatives in Linux, and that’s coming along nicely too.
I can add the Excel list next time, no problem!