BLOG Featured Recent Video Category Start Free Trial April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs April 14, 2026 | Falcon Exposure Management Team | Exposure Management Microsoft has addressed 164 vulnerabilities in its April 2026 security update release, double the number of vulnerabilities in March 2026. These include one exploited zero-day vulnerability, one previously disclosed zero-day vulnerability, and eight Critical vulnerabilities. April 2026 Risk Analysis This month's leading risk type by exploitation technique is elevation of privilege with 93 patches (57%). Remote code execution (RCE) and information disclosure followed with 20 patches each (12%). Figure 1. Breakdown of April 2026 Patch Tuesday exploitation techniques Microsoft Windows received by far the most patches this month with 131 (80%), followed by Microsoft Office with 14, and Developer Tools with 8. Figure 2. Breakdown of product families affected by April 2026 Patch Tuesday Exploited Zero-Day Vulnerability in Microsoft SharePoint Server CVE-2026-32201 is an Important spoofing vulnerability affecting Microsoft SharePoint Server and has a CVSS score of 6.5. It has been exploited in the wild as a zero-day. This vulnerability allows unauthenticated remote attackers to perform spoofing by exploiting an improper input validation flaw (CWE-20) in Microsoft Office SharePoint. No user interaction is required and attack complexity is low. An attacker that successfully exploits this vulnerability could view sensitive information and make changes to disclosed information, impacting both confidentiality and integrity of the affected system. Availability is not impacted. An official fix is available for customers to deploy. Table 1. Exploited zero-day vulnerability in Microsoft SharePoint Server Severity CVSS Score CVE Description Important 6.5 CVE-2026-32201 Microsoft SharePoint Server Spoofing Vulnerability Disclosed Zero-Day Vulnerability in Microsoft Defender CVE-2026-33825 is an Important elevation of privilege vulnerability affecting Microsoft Defender and has a CVSS score of 7.8. This vulnerability allows local attackers with low privileges to elevate their privileges by exploiting an insufficient granularity of access control flaw (CWE-1220) in Microsoft Defender. It requires no user interaction and has low attack complexity. An attacker that successfully exploits this vulnerability could gain SYSTEM privileges. This vulnerability had been publicly disclosed prior to a patch being released, though there is no evidence of exploitation in the wild. Proof-of-concept exploit code exists, and Microsoft assesses exploitation as more likely. An official fix is available for customers to deploy, though for some systems this update will be installed automatically with no action required. It is presumed this is the CVE for the BlueHammer exploit released on April 2, 2026, though there is no official confirmation at the time this blog was written. Table 2. Disclosed zero-day vulnerability in Microsoft Defender Severity CVSS Score CVE Description Important 7.8 CVE-2026-33825 Microsoft Defender Elevation of Privilege Vulnerability Critical Vulnerability in Windows TCP/IP CVE-2026-33827 is a Critical remote code execution vulnerability affecting Windows TCP/IP and has a CVSS score of 8.1. This vulnerability allows unauthenticated remote attackers to execute arbitrary code by exploiting a race condition flaw (CWE-362) in the Windows TCP/IP stack. It requires no user interaction, though it carries high attack complexity. An unauthenticated attacker could exploit this vulnerability by sending a specially crafted IPv6 packet to a Windows node where IPSec is enabled. Successful exploitation requires the attacker to win a race condition and take additional preparatory actions to configure the target environment prior to exploitation. An official fix is available for customers to deploy. Table 3. Critical vulnerability in Windows TCP/IP Severity CVSS Score CVE Description Critical 8.1 CVE-2026-33827 Windows TCP/IP Remote Code Execution Vulnerability Critical Vulnerability in Windows Internet Key Exchange (IKE) Service Extensions CVE-2026-33824 is a Critical remote code execution vulnerability affecting Windows Internet Key Exchange (IKE) Service Extensions and has a CVSS score of 9.8. It allows unauthenticated remote attackers to execute arbitrary code by exploiting a double free flaw (CWE-415) in the Windows IKE Extension. No user interaction is required and attack complexity is low. An unauthenticated attacker could exploit this vulnerability by sending specially crafted packets to a Windows machine with Internet Key Exchange (IKE) version 2 enabled, which could enable remote code execution on the target system. An official fix is available for customers to deploy. For customers who cannot immediately apply the update, Microsoft recommends blocking inbound traffic on UDP ports 500 and 4500 for systems that do not use IKE, or restricting inbound traffic on those ports to known peer addresses only for systems that require IKE. Note that these mitigations reduce attack surface but do not replace applying the security update. Table 4. Critical vulnerability in Windows Internet Key Exchange (IKE) Service Extensions Severity CVSS Score CVE Description Critical 9.8 CVE-2026-33824 Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability Critical Vulnerability in Remote Desktop Client CVE-2026-32157 is a Critical remote code execution vulnerability affecting Remote Desktop Client and has a CVSS score of 8.8. This vulnerability allows unauthenticated remote attackers to execute arbitrary code by exploiting a use-after-free flaw (CWE-416) in the Remote Desktop Client. It requires user interaction and has low attack complexity. An attacker with control of a malicious Remote Desktop Server could exploit this vulnerability by enticing a victim to connect to the attacker-controlled server using a vulnerable Remote Desktop Client. Upon connection, the attacker could trigger remote code execution on the victim's machine. The attack targets the client side of the Remote Desktop connection, meaning the risk lies with users initiating connections to untrusted or compromised servers. An official fix is available for customers to deploy. Table 5. Critical vulnerability in Remote Desktop Client Severity CVSS Score CVE Description Critical 8.8 CVE-2026-32157 Remote Desktop Client Remote Code Execution Vulnerability Critical Vulnerabilities in Microsoft Office and Microsoft Word CVE-2026-32190, CVE-2026-33114, and CVE-2026-33115 are Critical remote code execution vulnerabilities affecting Microsoft Office and Microsoft Word, all with a CVSS score of 8.4. These vulnerabilities allow unauthenticated attackers to execute arbitrary code by exploiting a use-after-free flaw (CVE-2026-32190 and CVE-2026-33115) and an untrusted pointer dereference flaw (CVE-2026-33114) in Microsoft Office components. None of the three vulnerabilities requires user interaction, and all have low attack complexity. While no user interaction is required, an attacker would still need to cause a crafted file to be saved on a victim system. The Preview Pane is an attack vector for all three vulnerabilities. As such, an attacker could create a specially crafted file that executes malicious code on the victim's machine simply through the preview pane, without requiring the victim to open the file. An official fix is available for customers to deploy. Table 6. Critical vulnerabilities in Microsoft Office and Microsoft Word Severity CVSS Score CVE Description Critical 8.4 CVE-2026-32190 Microsoft Office Remote Code Execution Vulnerability Critical 8.4 CVE-2026-33114 Microsoft Word Remote Code Execution Vulnerability Critical 8.4 CVE-2026-33115 Microsoft Word Remote Code Execution Vulnerability Critical Vulnerability in Windows Active Directory CVE-2026-33826 is a Critical remote code execution vulnerability affecting Windows Active Directory and has a CVSS score of 8.0. This vulnerability allows authenticated attackers to execute arbitrary code by exploiting an improper input validation flaw (CWE-20) in Windows Active Directory. It requires no user interaction and has low attack complexity. An authenticated attacker could exploit this vulnerability by sending a specially crafted RPC call to an RPC host, potentially resulting in remote code execution on the server side with the same permissions as the RPC service. Successful exploitation requires the attacker to be within the same restricted Active Directory domain as the target system. An official fix is available for customers to deploy. Table 7. Critical vulnerability in Windows Active Directory Severity CVSS Score CVE Description Critical 8.0 CVE-2026-33826 Windows Active Directory Remote Code Execution Vulnerability Critical Vulnerability in .NET Framework CVE-2026-23666 is a Critical denial-of-service (DoS) vulnerability affecting the .NET Framework and has a CVSS score of 7.5. This vulnerability allows unauthenticated remote attackers to exploit an improper handling of exceptional conditions flaw (CWE-755) to cause a DoS condition on affected systems. It requires no user interaction and has low attack complexity. An official fix is available for customers to deploy. Table 8. Critical vulnerability in Microsoft .NET Framework Severity CVSS Score CVE Description Critical 7.5 CVE-2026-23666 .NET Framework Denial of Service Vulnerability Patch Tuesday Dashboard in the Falcon Platform For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities. Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strateg