Microsoft April 2026 Patch Tuesday Fixes 168 Flaws, Includes Actively Exploited Zero-Day - cyberpress.org

Microsoft April 2026 Patch Tuesday Fixes 168 Flaws, Includes Actively Exploited Zero-Day By AnuPriya April 15, 2026 Categories: Cyber Security NewsCybersecurityMicrosoft Microsoft has released its April 2026 Patch Tuesday updates, fixing 168 vulnerabilities across Windows, cloud, and application products, including one actively exploited zero-day in Microsoft SharePoint Server. Organizations are strongly advised to prioritize this update to reduce exposure to ongoing exploitation and widespread elevation of privilege risks. Actively Exploited SharePoint Zero‑day The headline flaw this month is CVE-2026-32201, a spoofing vulnerability in Microsoft SharePoint Server that attackers are already exploiting in the wild. The bug stems from improper input validation and allows remote attackers to conduct spoofing attacks against SharePoint environments without user interaction, enabling them to impersonate trusted entities and access or modify sensitive data. Because many enterprises depend on SharePoint for daily collaboration and document workflows, this vulnerability represents a serious business risk and should be patched before other issues. Security teams should immediately update all internet-facing SharePoint servers, verify that patches have been applied correctly, and review access logs for suspicious activity related to authentication or unusual user impersonation. Where patching may be delayed, administrators should restrict external exposure, tighten network segmentation, and enforce strong authentication policies around SharePoint access.linkedin+2 Beyond the zero-day, Microsoft’s guidance and independent advisories highlight several important vulnerabilities that demand rapid remediation. CVE-2024-26203 in Azure Data Studio is an elevation of privilege flaw that allows a local attacker with low privileges to bypass access controls and escalate their rights, potentially compromising confidentiality, integrity, and availability on affected systems. Xbox Gaming Services is impacted by CVE-2024-28916, an elevation of privilege issue in Xbox cryptographic services that can grant attackers higher access rights when exploited. CVE-2024-29059 in .NET Framework is an information disclosure vulnerability that can expose sensitive information, and it carries a high CVSS score of 7.5, underscoring the need for prompt patching on application servers. Another disclosure bug, CVE-2024-26204 in Outlook for Android, could leak private email-related data, making it important for mobile users and administrators to ensure the latest app version is installed from official stores. The April release also brings multiple hardening updates for Microsoft Edge (Chromium-based), addressing a low-severity spoofing bug (CVE-2024-29057) and several security feature bypass vulnerabilities (CVE-2024-26246, CVE-2024-26247) that could weaken browser security boundaries. Microsoft integrated upstream Chromium fixes for severe memory management problems, including use-after-free flaws in WebCodecs, Dawn, Canvas, and ANGLE, as well as type confusion in WebAssembly and out-of-bounds reads in SwiftShader, which collectively reduce the risk of remote code execution through the browser. Additional patches in Mariner and related open-source tooling resolve ONNX directory traversal (CVE-2024-27318), ONNX out-of-bounds reads (CVE-2024-27319), LoongArch out-of-bounds memory access (CVE-2024-26588), and TLS race conditions (CVE-2024-26583, CVE-2024-26585), strengthening Linux-based workloads and container environments. CVE Table – Selected April 2026 Entries CVE ID Title / Description Type Severity Product / Component CVSS CVSS Severity CVE-2024-29059 .NET Framework Information Disclosure Vulnerability Information Disclosure Important .NET Framework 7.5 High CVE-2024-29057 Microsoft Edge (Chromium-based) Spoofing Vulnerability Spoofing Low Microsoft Edge (Chromium-based) 4.3 Medium CVE-2024-28916 Xbox Gaming Services Elevation of Privilege Vulnerability Elevation of Privilege Important Xbox Crypto Graphic Services 8.8 High CVE-2024-2887 Chromium: Type Confusion in WebAssembly Not stated Not stated Microsoft Edge (Chromium-based) Not stated Not stated CVE-2024-2886 Chromium: Use after free in WebCodecs Not stated Not stated Microsoft Edge (Chromium-based) Not stated Not stated CVE-2024-2885 Chromium: Use after free in Dawn Not stated Not stated Microsoft Edge (Chromium-based) Not stated Not stated CVE-2024-2883 Chromium: Use after free in ANGLE Not stated Not stated Microsoft Edge (Chromium-based) Not stated Not stated CVE-2024-27319 ONNX out-of-bounds read due to off-by-one string copy Out-of-bounds Read Not stated Mariner Not stated Not stated CVE-2024-27318 ONNX directory traversal via external_data path Directory Traversal Not stated Mariner Not stated Not stated CVE-2024-26588 LoongArch: BPF – prevent out-of-bounds memory access Out-of-bounds Memory Access Not stated Mariner Not stated Not stated CVE-2024-26585 TLS: fix race between tx work scheduling and socket close Race Condition Not stated Mariner Not stated Not stated CVE-2024-26583 TLS: fix race between async notify and socket close Race Condition Not stated Mariner Not stated Not stated CVE-2024-2626 Chromium: Out-of-bounds read in SwiftShader Out-of-bounds Read Not stated Microsoft Edge (Chromium-based) Not stated Not stated CVE-2024-26247 Microsoft Edge (Chromium-based) Security Feature Bypass Security Feature Bypass Low Microsoft Edge (Chromium-based) Not stated Not stated CVE-2024-26246 Microsoft Edge (Chromium-based) Security Feature Bypass Security Feature Bypass Low Microsoft Edge (Chromium-based) Not stated Not stated CVE-2024-26204 Outlook for Android Information Disclosure Vulnerability Information Disclosure Important Outlook for Android Not stated High CVE-2024-26203 Azure Data Studio Elevation of Privilege Vulnerability Elevation of Privilege Important Azure Data Studio 7.3 High Security teams should deploy the April 2026 patches across all Windows and server estates as soon as possible, with top priority given to public-facing SharePoint servers, Azure Data Studio instances, and high-risk browser platforms. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google Share Facebook Twitter Pinterest WhatsApp AnuPriya Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends. Recent Articles Google Uses Rust in Pixel 10 Modem Firmware to Eliminate Memory-Safety Bugs Cyber Security News April 15, 2026 Windows Active Directory Vulnerability Allows Attackers to Execute Malicious Code Cyber Security News April 15, 2026 Microsoft Releases KB5083769 Cumulative Update for Windows 11 25H2 and 24H2 Cyber Security News April 15, 2026 Remcos RAT Delivered Through Google Cloud Storage In Email Evasion Campaign ANY.RUN April 15, 2026 Trusted WordPress Plugins Weaponized In Delayed Malware Campaign Cyber Attack April 15, 2026 Related Stories Cyber Security News Google Uses Rust in Pixel 10 Modem Firmware to Eliminate Memory-Safety Bugs AnuPriya - April 15, 2026 Cyber Security News Windows Active Directory Vulnerability Allows Attackers to Execute Malicious Code AnuPriya - April 15, 2026 Cyber Security News Microsoft Releases KB5083769 Cumulative Update for Windows 11 25H2 and 24H2 AnuPriya - April 15, 2026 ANY.RUN Remcos RAT Delivered Through Google Cloud Storage In Email Evasion Campaign Varshini - April 15, 2026 Cyber Attack Trusted WordPress Plugins Weaponized In Delayed Malware Campaign Varshini - April 15, 2026 APT 12,000+ Systems Scanned Ahead Of Middle East Critical Infrastructure Attacks Varshini - April 15, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: