Microsoft’s April 2026 Patch Tuesday release addressed 167 security flaws across its product lineup, including two actively exploited zero-day vulnerabilities, according to verified security advisories and industry analysis. The update, released on April 14, 2026, represents one of the largest monthly patch bundles in recent years, targeting critical weaknesses in Windows operating systems, Microsoft Office components, and related enterprise software.
Among the vulnerabilities fixed, eight were classified as “Critical” severity, with seven of those being remote code execution flaws that could allow attackers to take full control of affected systems without user interaction. The Patch Tuesday also resolved 21 information disclosure vulnerabilities, 10 denial of service issues, nine spoofing vulnerabilities, 13 security feature bypass flaws, and 93 elevation of privilege weaknesses, based on categorization disclosed by Microsoft in its official security update guide.
The two zero-day vulnerabilities patched in this release were both actively exploited in the wild prior to the update. One flaw, tracked as CVE-2026-32201, is a spoofing vulnerability in Microsoft SharePoint Server that allows unauthorized attackers to manipulate network communications through improper input validation in Office SharePoint components. The second zero-day, identified as CVE-2026-33825, is an elevation of privilege vulnerability in Microsoft Defender that could enable attackers to gain higher-level system access, though experts noted potential reliability issues with current exploit methods.
Security researchers emphasized the urgency of applying these patches, particularly for organizations with internet-facing SharePoint servers, as the actively exploited SharePoint zero-day could allow threat actors to view or modify sensitive information even as maintaining access to compromised resources. The vulnerability carries a CVSS score of 6.5, reflecting its potential impact on confidentiality and integrity, though it does not directly affect system availability.
Microsoft’s update also included fixes for 80 additional flaws in Microsoft Edge and Chromium-based components, which were addressed by Google as part of the shared codebase maintenance. For Windows 11 users, the security updates were bundled with cumulative patches KB5083769 and KB5082052, while Windows 10 received the extended security update KB5082200. Users can manually check for these updates through Windows Security > Virus & threat protection > Protection Updates, then selecting “Check for updates.”
Industry analysts noted that the scale of this Patch Tuesday release reflects ongoing pressure from sophisticated threat actors targeting widely deployed enterprise software. The vulnerabilities addressed spanned multiple attack vectors, including network-based exploits, file parsing weaknesses, and authentication bypass techniques, underscoring the importance of timely patch deployment as a core component of organizational cybersecurity hygiene.
As of the April 17, 2026, reporting date, no further details about the extent of exploitation or specific threat actor groups leveraging these vulnerabilities had been publicly disclosed by Microsoft or government cybersecurity agencies. Organizations are advised to consult the official Microsoft Security Response Center portal for detailed mitigation guidance and to prioritize testing and deployment of these updates in accordance with their internal change management procedures.