Microsoft Patch Tuesday April 2026: what to patch first

TL;DR: April 2026 is one of the largest Microsoft monthly rollups on record. 163 CVEs in core products, 8 Critical, 154 Important, 1 Moderate, plus two zero-days. CVE-2026-32201, a SharePoint Server spoofing flaw, is being exploited in the wild and is on the CISA KEV catalogue with a federal deadline. CVE-2026-33824, a CVSS 9.8 unauthenticated RCE in Windows IKE service extensions, sits in the same first wave. The Defender Antimalware Platform LPE CVE-2026-33825 (BlueHammer) shipped with a public proof-of-concept already in circulation. Elevation of privilege accounts for 57% of the release, a record share.

Last reviewed 2026-05-21 by fredrik-standahl

What Microsoft shipped

Microsoft released the April 2026 security update on April 14, 2026. Microsoft’s own Security Update Guide lists 163 CVEs across core products, with 8 rated Critical, 154 Important and 1 Moderate. Third-party trackers cite slightly different totals, BleepingComputer counts 167 flaws and The Hacker News 168, because they fold in republished CVEs, Edge updates and other adjacent fixes. We use Microsoft’s number for the core release.

Seven of the eight Critical issues are remote code execution; the eighth is a denial of service. Elevation of privilege dominates by category at 93 patches or 57% of the release, with remote code execution and information disclosure each at roughly 12%. Products touched range across SharePoint Server, Windows kernel and networking stack, Active Directory, Microsoft Defender, Windows IKE/IPsec, TCP/IP, Hyper-V and the usual Office and Edge components.

Patch these first

CVE-2026-32201: SharePoint Server spoofing (zero-day, exploited). Improper input validation in Microsoft Office SharePoint lets an unauthenticated attacker impersonate legitimate users over the network. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition. CISA added it to the Known Exploited Vulnerabilities catalogue on April 14, 2026 with a federal remediation deadline of April 28. BleepingComputer reported more than 1,300 internet-facing SharePoint servers still unpatched two weeks after release. Any on-prem SharePoint that touches the public internet goes in the first patch window.

CVE-2026-33824: Windows IKE Service Extensions RCE (CVSS 9.8). A double-free during IKEv2 fragment reassembly lets an unauthenticated attacker run code on any Windows system listening on UDP/500 or UDP/4500. That covers the bulk of Windows VPN gateways and RRAS deployments. Microsoft’s mitigation advice for hosts that cannot patch immediately is to block inbound UDP/500 and UDP/4500 or restrict them to known peers. Treat VPN concentrators and any IKEv2-enabled server the same way you treat domain controllers this week.

CVE-2026-33825: Microsoft Defender Antimalware Platform LPE, “BlueHammer” (CVSS 7.8, publicly disclosed). A time-of-check-to-time-of-use race in Defender signature updates lets a standard user escalate to NT AUTHORITY\SYSTEM. A working proof-of-concept was published before the patch shipped, so any device that has not pulled the Defender platform update is exposed to a pre-built exploit. CISA later added CVE-2026-33825 to the KEV catalogue confirming in-the-wild abuse and setting a federal deadline of May 7. The Defender platform update is delivered out-of-band and may have already landed silently. Verify across the fleet.

CVE-2026-33827: Windows TCP/IP RCE (CVSS 8.1). A race condition in the Windows TCP/IP stack gives an unauthenticated remote attacker code execution by sending crafted packets. Microsoft rates exploitation as “More Likely”. Every supported Windows version is affected.

CVE-2026-33826: Windows Active Directory RCE (CVSS 8.0, “Exploitation More Likely”). Improper input validation in an AD RPC path lets an authenticated attacker on the adjacent network execute code inside the RPC host process. Domain controllers across Windows Server 2012 R2 through 2025 are affected, and the path from low-privileged AD user to full domain takeover is short. Patch with the same urgency as the IKE RCE.

Zero-days and exploitation status

Two zero-days shipped on April 14. CVE-2026-32201 was confirmed exploited in the wild before the patch landed and remains under active abuse, with over 1,300 exposed SharePoint servers still unpatched at the end of April. CVE-2026-33825 (BlueHammer) was publicly disclosed before patch day with a working proof-of-concept, and later promoted to KEV after in-the-wild detections. Both reset the May 2026 “no zero-day” streak. April is the more typical pattern.

Wider context

Two themes from this release matter beyond the individual CVEs. First, elevation of privilege now accounts for 57% of monthly Microsoft CVEs, a record share that has trended up across the last eight months. The implication for SMB defenders is that initial-access prevention is doing more work than it should, because once an attacker gets a foothold the privilege escalation toolbox is unusually well-stocked right now. Local admin hygiene, EDR coverage on every endpoint and just-in-time admin elevation move from “nice to have” to “the thing that keeps a phishing click from becoming a domain compromise”.

Second, the SharePoint zero-day is a continuation of a multi-quarter pattern where on-premises Microsoft collaboration servers (Exchange, SharePoint, Skype/Lync) keep producing high-impact exposed-surface bugs. If you are still running on-prem SharePoint for reasons that are not strictly mandated, this is one more data point for the migration business case.

What to do now

1. Patch on-premises SharePoint Server today. Confirm internet exposure and patch level for every Subscription Edition, 2019 and 2016 farm. Cross-check the CISA KEV listing.
2. Push the April cumulative to VPN gateways, RRAS servers and any host with IKEv2 enabled. If patching has to wait, block inbound UDP/500 and UDP/4500 or restrict them to known peer addresses.
3. Patch domain controllers in the same window. CVE-2026-33826 plus the long tail of EoP fixes shortens the path from any low-privileged AD account to full domain compromise.
4. Verify Microsoft Defender platform version across the fleet and force-update any device still on the pre-patch build. The BlueHammer PoC is in the open.
5. Run a current local-admin and privileged-access audit. With elevation of privilege at a record share of the release, the realistic threat model is “attacker is already inside, now what”, and the controls that matter live in identity, EDR and just-in-time admin.

Talk to Fredrik if you want our read on prioritization for your stack.

Drafted with AI assistance, reviewed and edited by Fredrik Standahl and the FM editorial team.

Sources

• Microsoft Security Update Guide, msrc.microsoft.com/update-guide
• Tenable, “Microsoft’s April 2026 Patch Tuesday Addresses 163 CVEs (CVE-2026-32201)”
• BleepingComputer, “Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days”
• Cisco Talos Intelligence, “Microsoft Patch Tuesday for April 2026: Snort rules and prominent vulnerabilities”
• Zero Day Initiative, “The April 2026 Security Update Review”
• CrowdStrike, “April 2026 Patch Tuesday: Updates and Analysis”
• The Hacker News, “Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities”
• Security Affairs, “Microsoft Patch Tuesday for April 2026 fixed actively exploited SharePoint zero-day”
• Picus Security, “BlueHammer & RedSun: Windows Defender CVE-2026-33825 Zero-day Vulnerability Explained”
• Dark Reading, “Privilege Elevation Dominates Massive Microsoft Patch Update”