April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs

BLOG Featured Recent Video Category Start Free Trial April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs April 14, 2026 | Falcon Exposure Management Team | Exposure Management Microsoft has addressed 164 vulnerabilities in its April 2026 security update release, double the number of vulnerabilities in March 2026. These include one exploited zero-day vulnerability, one previously disclosed zero-day vulnerability, and eight Critical vulnerabilities. April 2026 Risk Analysis This month's leading risk type by exploitation technique is elevation of privilege with 93 patches (57%). Remote code execution (RCE) and information disclosure followed with 20 patches each (12%). Figure 1. Breakdown of April 2026 Patch Tuesday exploitation techniques Microsoft Windows received by far the most patches this month with 131 (80%), followed by Microsoft Office with 14, and Developer Tools with 8. Figure 2. Breakdown of product families affected by April 2026 Patch Tuesday Exploited Zero-Day Vulnerability in Microsoft SharePoint Server CVE-2026-32201 is an Important spoofing vulnerability affecting Microsoft SharePoint Server and has a CVSS score of 6.5. It has been exploited in the wild as a zero-day. This vulnerability allows unauthenticated remote attackers to perform spoofing by exploiting an improper input validation flaw (CWE-20) in Microsoft Office SharePoint. No user interaction is required and attack complexity is low. An attacker that successfully exploits this vulnerability could view sensitive information and make changes to disclosed information, impacting both confidentiality and integrity of the affected system. Availability is not impacted. An official fix is available for customers to deploy. Table 1. Exploited zero-day vulnerability in Microsoft SharePoint Server Severity CVSS Score CVE Description Important 6.5 CVE-2026-32201 Microsoft SharePoint Server Spoofing Vulnerability Disclosed Zero-Day Vulnerability in Microsoft Defender CVE-2026-33825 is an Important elevation of privilege vulnerability affecting Microsoft Defender and has a CVSS score of 7.8. This vulnerability allows local attackers with low privileges to elevate their privileges by exploiting an insufficient granularity of access control flaw (CWE-1220) in Microsoft Defender. It requires no user interaction and has low attack complexity. An attacker that successfully exploits this vulnerability could gain SYSTEM privileges.   This vulnerability had been publicly disclosed prior to a patch being released, though there is no evidence of exploitation in the wild. Proof-of-concept exploit code exists, and Microsoft assesses exploitation as more likely. An official fix is available for customers to deploy, though for some systems this update will be installed automatically with no action required. It is presumed this is the CVE for the BlueHammer exploit released on April 2, 2026, though there is no official confirmation at the time this blog was written. Table 2. Disclosed zero-day vulnerability in Microsoft Defender Severity CVSS Score CVE Description Important 7.8 CVE-2026-33825 Microsoft Defender Elevation of Privilege Vulnerability Critical Vulnerability in Windows TCP/IP CVE-2026-33827 is a Critical remote code execution vulnerability affecting Windows TCP/IP and has a CVSS score of 8.1. This vulnerability allows unauthenticated remote attackers to execute arbitrary code by exploiting a race condition flaw (CWE-362) in the Windows TCP/IP stack. It requires no user interaction, though it carries high attack complexity. An unauthenticated attacker could exploit this vulnerability by sending a specially crafted IPv6 packet to a Windows node where IPSec is enabled. Successful exploitation requires the attacker to win a race condition and take additional preparatory actions to configure the target environment prior to exploitation. An official fix is available for customers to deploy. Table 3. Critical vulnerability in Windows TCP/IP Severity CVSS Score CVE Description Critical 8.1 CVE-2026-33827 Windows TCP/IP Remote Code Execution Vulnerability Critical Vulnerability in Windows Internet Key Exchange (IKE) Service Extensions CVE-2026-33824 is a Critical remote code execution vulnerability affecting Windows Internet Key Exchange (IKE) Service Extensions and has a CVSS score of 9.8. It allows unauthenticated remote attackers to execute arbitrary code by exploiting a double free flaw (CWE-415) in the Windows IKE Extension. No user interaction is required and attack complexity is low. An unauthenticated attacker could exploit this vulnerability by sending specially crafted packets to a Windows machine with Internet Key Exchange (IKE) version 2 enabled, which could enable remote code execution on the target system. An official fix is available for customers to deploy. For customers who cannot immediately apply the update, Microsoft recommends blocking inbound traffic on UDP ports 500 and 4500 for systems that do not use IKE, or restricting inbound traffic on those ports to known peer addresses only for systems that require IKE. Note that these mitigations reduce attack surface but do not replace applying the security update. Table 4. Critical vulnerability in Windows Internet Key Exchange (IKE) Service Extensions Severity CVSS Score CVE Description Critical 9.8 CVE-2026-33824 Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability Critical Vulnerability in Remote Desktop Client CVE-2026-32157 is a Critical remote code execution vulnerability affecting Remote Desktop Client and has a CVSS score of 8.8. This vulnerability allows unauthenticated remote attackers to execute arbitrary code by exploiting a use-after-free flaw (CWE-416) in the Remote Desktop Client. It requires user interaction and has low attack complexity. An attacker with control of a malicious Remote Desktop Server could exploit this vulnerability by enticing a victim to connect to the attacker-controlled server using a vulnerable Remote Desktop Client. Upon connection, the attacker could trigger remote code execution on the victim's machine. The attack targets the client side of the Remote Desktop connection, meaning the risk lies with users initiating connections to untrusted or compromised servers. An official fix is available for customers to deploy. Table 5. Critical vulnerability in Remote Desktop Client Severity CVSS Score CVE Description Critical 8.8 CVE-2026-32157 Remote Desktop Client Remote Code Execution Vulnerability Critical Vulnerabilities in Microsoft Office and Microsoft Word CVE-2026-32190, CVE-2026-33114, and CVE-2026-33115 are Critical remote code execution vulnerabilities affecting Microsoft Office and Microsoft Word, all with a CVSS score of 8.4. These vulnerabilities allow unauthenticated attackers to execute arbitrary code by exploiting a use-after-free flaw (CVE-2026-32190 and CVE-2026-33115) and an untrusted pointer dereference flaw (CVE-2026-33114) in Microsoft Office components. None of the three vulnerabilities requires user interaction, and all have low attack complexity. While no user interaction is required, an attacker would still need to cause a crafted file to be saved on a victim system. The Preview Pane is an attack vector for all three vulnerabilities. As such, an attacker could create a specially crafted file that executes malicious code on the victim's machine simply through the preview pane, without requiring the victim to open the file. An official fix is available for customers to deploy. Table 6. Critical vulnerabilities in Microsoft Office and Microsoft Word Severity CVSS Score CVE Description Critical 8.4 CVE-2026-32190 Microsoft Office Remote Code Execution Vulnerability Critical 8.4 CVE-2026-33114 Microsoft Word Remote Code Execution Vulnerability Critical 8.4 CVE-2026-33115 Microsoft Word Remote Code Execution Vulnerability Critical Vulnerability in Windows Active Directory CVE-2026-33826 is a Critical remote code execution vulnerability affecting Windows Active Directory and has a CVSS score of 8.0. This vulnerability allows authenticated attackers to execute arbitrary code by exploiting an improper input validation flaw (CWE-20) in Windows Active Directory. It requires no user interaction and has low attack complexity. An authenticated attacker could exploit this vulnerability by sending a specially crafted RPC call to an RPC host, potentially resulting in remote code execution on the server side with the same permissions as the RPC service. Successful exploitation requires the attacker to be within the same restricted Active Directory domain as the target system. An official fix is available for customers to deploy. Table 7. Critical vulnerability in Windows Active Directory Severity CVSS Score CVE Description Critical 8.0 CVE-2026-33826 Windows Active Directory Remote Code Execution Vulnerability Critical Vulnerability in .NET Framework CVE-2026-23666 is a Critical denial-of-service (DoS) vulnerability affecting the .NET Framework and has a CVSS score of 7.5. This vulnerability allows unauthenticated remote attackers to exploit an improper handling of exceptional conditions flaw (CWE-755) to cause a DoS condition on affected systems. It requires no user interaction and has low attack complexity. An official fix is available for customers to deploy. Table 8. Critical vulnerability in Microsoft .NET Framework Severity CVSS Score CVE Description Critical 7.5 CVE-2026-23666 .NET Framework Denial of Service Vulnerability Patch Tuesday Dashboard in the Falcon Platform For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities. Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.  Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization's methods for cybersecurity and improve your overall security posture. Learn More The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action. Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here. About CVSS Scores The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.  Additional Resources For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here. Learn how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments.  Make prioritization painless and efficient. Watch how Falcon Exposure Management enables IT staff to improve visibility with custom filters and team dashboards. Find out how CrowdStrike Falcon® Next-Gen Identity Security products can stop workforce identity threats faster.  Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent™. Fal.Con 2026 registration is now open. Join us in Las Vegas to explore what’s next in cybersecurity. Tweet Share CrowdStrike 2026 Global Threat Report AI threats have reached a critical turning point. Access the definitive look at the cyber threat landscape. Download Related Content How CrowdStrike Is Accelerating Exposure Evaluation as Adversaries Gain Speed March 2026 Patch Tuesday: Eight Critical Vulnerabilities and Two Publicly Disclosed Among 82 CVEs Patched February 2026 Patch Tuesday: Six Zero-Days Among 59 CVEs Patched CATEGORIES Agentic SOC 50 Cloud & Application Security 140 Data Protection 22 Endpoint Security & XDR 352 Engineering & Tech 86 Executive Viewpoint 178 Exposure Management 118 From The Front Lines 202 Next-Gen Identity Security 68 Next-Gen SIEM & Log Management 113 Public Sector 42 Securing AI 27 Threat Hunting & Intel 212 CONNECT WITH US FEATURED ARTICLES April 06, 2026 October 01, 2024 CrowdStrike Named a Leader in 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms September 25, 2024 Recognizing the Resilience of the CrowdStrike Community September 25, 2024 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike. Sign Up How CrowdStrike Is Accelerating Exposure Evaluation as Adversaries Gain Speed Copyright © 2026 CrowdStrike Privacy Request Info Blog Contact Us 1.888.512.8906 Accessibility Privacy Preference Center Privacy Preference Center Your Privacy Strictly Necessary Cookies Performance Cookies Functional Cookies Targeting Cookies Your Privacy When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They may be set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies may process limited personal information, such as technical or device identifiers, where necessary to ensure the security, functionality, and integrity of the website or web portal. Such processing is strictly limited to what is required for these purposes and is not used for advertising or marketing. Cookies Details Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore does not identify you. If you do not allow these cookies, your visit to our website will not be included in our analytics, and our ability to monitor website performance and make improvements will be reduced. Cookies Details Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookies Details Targeting Cookies Targeting Cookies These cookies may be set on our site by our advertising partners. They assign a unique identifier to your browser or device and may track your activity across sites to build a profile of your interests and show you relevant adverts on other sites. If you do not allow these cookies, you will still see ads, but they may be less relevant to you. Cookies Details Cookie List Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm My Choices Allow All