It’s another all hands on deck Patch Tuesday.
Microsoft released patches for a near record 165 CVEs, one of which attackers are already actively exploiting and another that’s publicly known but so far remains unexploited.
Microsoft assessed 19 of the newly disclosed vulnerabilities as flaws that attackers are more likely to exploit, meaning they need high-priority attention. In keeping with a relatively recent trend, nearly 60% of the patched flaws this month are elevation-of-privilege bugs, followed by remote code execution (RCE) flaws and information disclosure bugs.
Elevation of Privilege Bugs Galore
“Elevation of privilege bugs continue to dominate the Patch Tuesday cycle over the last eight months, accounting for a record 57% of all CVEs patched in April,” said Satnam Narang, senior staff research engineer at Tenable, in emailed comments. “RCE vulnerabilities have dropped to just 12%, tied with information disclosure vulnerabilities this month.” The 165 flaws Microsoft patched this month fall just short of the 175 vulnerabilities disclosed in October 2025. At this pace, the company in 2026 could once again surpass 1,000 vulnerability disclosures in a single year, Narang added.
The zero-day that attackers are actively exploiting is CVE-2026-32201 (CVSS: 6.5), a spoofing vulnerability in Microsoft SharePoint Server that gives attackers a way to view and modify sensitive information. Attackers can abuse the flaw to spoof trusted content or interfaces over a network, said Mike Walters, president and co-founder of Action1, in a statement. “By exploiting this flaw, an attacker can manipulate how information is presented to users, potentially tricking them into trusting malicious content,” Walters said. “While the direct impact on data is limited, the ability to deceive users makes this a powerful tool for broader attacks.”
The other zero-day vulnerability (publicly disclosed, proof-of-concept available, but yet-to-be-exploited) is CVE-2026-33825 (CVSS: 7.8), one of more than 90 elevation-of-privilege bugs in this month’s set. The bug affects Microsoft’s built-in Defender antimalware platform. An attacker who successfully exploits the flaw can gain system-level privileges on affected devices. Organizations that have configured their Defender instances to receive automatic updates are already patched against the flaw and need to take no additional action besides verifying they have received the update, Microsoft said. The vulnerability is one that attackers are more likely to exploit according to Microsoft.
Jack Bicer, director of vulnerability research at Action1, perceived the flaw as one that attackers will likely chain with other exploits to expand initial access on an affected system. “CVE-2026-33825 significantly increases risk in environments where attackers have already gained a foothold,” and gives adversaries a way to gain total control over vulnerable endpoints.
According to Tyler Reguly, associate director of security R&D at Fortra, CVE-2026-33825 also appears to be the vulnerability involved in the BlueHammer proof-of-concept exploit that a researcher recently publicly disclosed, while citing unhappiness with Microsoft’s response to his bug disclosure.
A Handful of Critical Bugs
Microsoft assessed only eight of the vulnerabilities in its massive patch update as being of critical severity — the vast majority of the others it ranked as being of moderate or “Important” severity.
Among the critical vulnerabilities is CVE-2026-33824 (CVSS: 9.8) an unauthenticated RCE flaw in Windows Internet Key Exchange (IKE) Service Extensions, a Windows component associated with encrypted network connections. Microsoft wants organizations affected by the flaw to either install the patch immediately or block incoming traffic on UDP ports 500 and 4500 for systems that do not use IKE. “For systems that require IKE, configure firewall rules to allow inbound traffic on UDP ports 500 and 4500 only from known peer addresses,” Microsoft advised.
CVE-2026-33827 (CVSS: 8.1), is another unauthenticated RCE vulnerability affecting Windows secure tunneling and authentication components that operate above the TCP/IP layer. “It is rare that you see a truly remote TCP/IP vulnerability these days and that’s exactly what CVE-2026-33827 is,” Reguly said in a statement. “The attack complexity is listed as high because the vulnerability is based on a race condition as well as ‘additional actions,’ as Microsoft calls it, but it is still impressive to see these vulnerabilities identified in 2026.”
CVE-2026-33114 (CVSS 8.4) and CVE-2026-33115 (CVSS: 8.4), both RCE flaws in Microsoft Word, are two other vulnerabilities that Microsoft rated as critical, though it assessed the chances of attackers actually exploiting them as low. Meanwhile, the vulnerabilities that the company thinks attackers are more likely to exploit included CVE-2026-26151 (CVSS: 7.1), a spoofing vulnerability in Windows Desktop; CVE-2026-26169 (CVSS: 6.1), an information disclosure flaw affecting Windows Kernel memory; and CVE-2026-27906 (CVSS: 4.4), a Windows Hello security bypass vulnerability.
Dozens of Edge and Chromium Fixes
Mat Lee, senior security engineer at Automox, highlighted nearly 80 Microsoft Edge and Chromium patches that Microsoft republished this week as part of its April 2026 security update. “Edge and Chromium patches are far easier to deploy than SQL Server or SharePoint updates,” Lee said via emailed comments. “There are no database migrations, no downtime windows, and no complex dependency chains. You can push browser updates across your fleet in minutes, making this a low-effort, high-return patching target.” With as many as 80 fixes to address, organizations should not let the minimal disruption caused by a browser restart to stop them from addressing the vulnerabilities right away, he said.
Don’t miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here’s Why, where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now!
