Microsoft on Tuesday released 163 patches affecting 17 product families. Eight of the addressed issues are considered by Microsoft to be of Critical severity, and one of those is expected to be exploited within the next 30 days. Eighteen have a CVSS base score of 8.0 or higher. One – the SharePoint Spoofing vulnerability called CVE-2026-32201 – is currently known to be under active exploit in the wild, and one other (CVE-2026-33825, a Defender bug) has been publicly disclosed.

At patch time, 24 CVEs were judged more likely to be exploited in the next 30 days by the company’s estimation; that includes the Defender bug but not the SharePoint bug. Various of this month’s issues are amenable to direct detection by Sophos protections, and we include information on those in the usual table below. Unusually, our protections list also includes a patch for a Critical-severity prototype pollution bug in Adobe’s Reader and Acrobat products.

The patch load this month falls just shy of last October’s record-breaking haul, but it also includes a massive set of advisories, most of them related to Chrome patches ingested by Edge. Six advisories concern Adobe, MITRE and AMD each contribute one for Windows, Microsoft itself contributes two already-patched CVEs for Chrome/Edge, and Chrome itself weighs in with 78. The tally doesn’t quite measure up to December 2025’s mighty Mariner-flavored banquet of advisories, but combined with the patch tally, it pushes this month’s items of concern to a daunting 251. Is this a taste of patch life in the OpenClaw / Glasswing era? There’s no way of knowing that yet, but we will all be watching with interest.

We are as always including at the end of this post appendices listing all Microsoft’s patches sorted by severity (Appendix A), by predicted exploitability timeline and CVSS Base score (Appendix B), and by product family (Appendix C). Appendix D lists this month’s advisories. Appendix E provides a breakout of 127 CVEs affecting various versions of Windows Server.

Finally, we note with pleasure that Microsoft has taken to providing CWE (Common Weakness Enumeration) information for virtually all of their patches. For now, to make the most of this new transparency, we’re adding an Appendix F, in which we look at the distribution of this month’s CWEs. (Three weaknesses, by the way, account for over half of this month’s patches. To find out which three, read to the end.)

By the numbers

• Total CVEs: 163
• Publicly disclosed: 1
• Exploit detected: 1
• Severity
  • Critical: 8
  • Important: 154
  • Moderate: 1
• Impact:
  • Denial of Service: 8
  • Elevation of Privilege: 94
  • Information Disclosure: 20
  • Remote Code Execution: 20
  • Security Feature Bypass: 12
  • Spoofing: 8
  • Tampering: 1
• CVSS base score 9.0 or greater: 2
• CVSS base score 8.0 or greater: 18

Figure 1: Elevation of Privilege represents the lion’s share of April’s CVEs, but over a third of the RCEs are Critical-class

Products

As is our custom for this list, CVEs that apply to more than one product family are counted once for each family they affect. We note, by the way, that CVE names don’t always reflect affected product families closely. In particular, some CVEs names in the Office family may mention products that don’t appear in the list of products affected by the CVE, and vice versa. 

Figure 2: Windows dominates the patch list, though just four of those are Critical-class issues

Figure 3: Over the years we have flagged repeatedly that April and October, and to a lesser extent January, tend to be high-load patch months. As 2026 unfolds, we’ll be keeping an eye on overall patch counts, but for now, we’ll simply note that the cumulative EoP total alone went up by 73 percent in April. The rest of 2026 might be quite a ride.

Notable April updates

In addition to the issues discussed above, a number of specific items merit attention. 

CVE-2026-33824 -- Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution

A Critical-severity RCE with a punishing 9.8 CVSS Base score, it’s a bit of a relief that Microsoft apparently found this one in-house rather than in the wild. The problem rests in Internet Key Exchange, the secure key-management protocol that negotiates secure IPsec associations – so, affecting great swaths of connectivity. This one comes with temporary mitigation options: If you cannot immediately install this update, adjust your traffic rules for UDP ports 500 and 4500 – blocking inbound traffic for systems that don’t use IKE, or configuring the ports to accept inbound traffic only from known peer addresses for systems that do. (There is a fine post on WindowsForum that discusses this bug and how to parse Microsoft’s guidance concerning it.) But do install this patch as soon as you can.

CVE-2026-32201 -- Microsoft SharePoint Server Spoofing Vulnerability

A true in-the-wild zero-day before getting its Patch Tuesday comeuppance, this bug would permit an unauthorized attacker to spoof an actual user, able to read or modify certain data and potentially adding heft to social-engineering trickery. It rates only an Important severity (or, if you prefer, a CVSS Base score of 6.5), but Microsoft confirms that it’s in active use. Prioritize your patching accordingly.

CVE-2026-33825 -- Microsoft Defender Elevation of Privilege Vulnerability

The only vulnerability publicly disclosed in advance of Patch Tuesday, this Important-severity EoP would allow an attacker to elevate privileges locally if Defender is enabled. Microsoft customers who have Defender enabled and take their automatic updates will be patched automatically, or can manually draw down the update if they don’t want to wait. Meanwhile, systems on which Defender is disabled cannot be exploited by this vulnerability. 

CVE-2026-32190 -- Microsoft PowerPoint Remote Code Execution Vulnerability
CVE-2026-33114 -- Microsoft Word Remote Code Execution Vulnerability
CVE-2026-33115 -- Microsoft Word Remote Code Execution Vulnerability

Office and 365 share three Critical-severity vulnerabilities this month; all three include Preview Pane as a vector.

CVE-2026-26151 -- Remote Desktop Spoofing Vulnerability

An excellent development: Starting this month, the Remote Desktop Connection app shows new security warnings when you open RDP files. This CVE makes that possible -- it literally beefs up the user interface’s warning of potentially dangerous operations. (Microsoft has the details on their site.) Considering RDP’s long reign atop the initial-attacker-access charts, it’s good to add some friction to the process.

Sophos protections

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of April patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE. 

Elevation of Privilege (94 CVEs)

Remote Code Execution (20 CVEs)

Information Disclosure (20 CVEs)

Security Feature Bypass (12 CVEs)

Denial of Service (8 CVEs)

Spoofing (8 CVEs)

Tampering (1 CVE)

Appendix B: Exploitability and CVSS

One CVE in April is known to be already under exploit in the wild.

This is a list of the 24 April CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release. The list is arranged by CVE.

These are the April CVEs with a Microsoft-assessed CVSS Base score of 8.0 or higher. They are arranged by score and further sorted by CVE. For more information on how CVSS works, please see our series on patch prioritization schema. 

Appendix C: Products Affected

This is a list of April’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple131 times, once for each product family. Certain issues for which advisories have been issued are covered in Appendix D, and issues affecting Windows Server are further sorted in Appendix E. All CVE titles are accurate as made available by Microsoft. For further information on why certain products may appear in titles and not product families (or vice versa), please consult Microsoft.

Windows (131 CVEs)

365 (12 CVEs)

Office (11 CVEs)

.NET (6 CVEs)

Excel (5 CVEs)

Azure (4 CVEs)

SQL Server (3 CVEs)

Visual Studio (3 CVEs)

SharePoint (2 CVEs)

Defender (1 CVE)

Dynamics 365 (1 CVE)

HPC Pack (1 CVE)

PowerApps (1 CVE)

PowerPoint (1 CVE)

PowerShell (1 CVE)

RDP Client for Windows (1 CVE)

Windows Server Update Services (WSUS) (1 CVE)

Appendix D: Advisories and Other Products

There are 80 Edge-related advisories listed in April’s release, all but two from Chrome. Because the two from Microsoft were (like the Chrome CVEs) patched before Patch Tuesday, and because this post is already gruesomely long, we have massed all 80 together in the very long table below.

Meanwhile, there are six updates from Adobe, all affecting ColdFusion 2025 - Update 6 and earlier versions, as well as ColdFusion 2023 - Update 18 and earlier versions. These are addresseḍ in APSB26-38. These are unrelated to the Adobe item covered in the Sophos protection noted above.

Appendix E: Affected Windows Server versions

This is a table of 127 CVEs in the April release affecting Windows Server versions 2012 through 2025. The table differentiates among major versions of the platform but doesn’t go into deeper detail (eg., Server Core). An “x” indicates that the CVE does not apply to that version. CVE-2026-27906, CVE-2026-32153, CVE-2026-32195, and CVE-2026-32216 affect only client-side versions of Windows and are thus not included in the table. We do, however, include the two Important-severity, Windows-touching advisories from AMD and MITRE, since the Server versions they affect are known; those are indicated in this chart in blue.

Administrators are encouraged to use this appendix as a starting point to ascertain their specific exposure, as each reader’s situation, especially as it concerns products out of mainstream support, will vary. For specific Knowledge Base numbers, please consult Microsoft. 

Appendix F: Common Weakness Enumeration

As mentioned above, Microsoft now states which CWEs affect very nearly every CVE they address. (We noted only two CVEs that had no CWE information -- CVE-2026-26149, the PowerApps security feature bypass, and the advisory-only CVE-2026-33118 affecting Edge/Chrome). We’re looking forward to analyzing this data over time. 

This month, we decided to start off by seeing which CWEs were most heavily represented in this inaugural dataset. (For the moment, we’re not diving into specific CVE-CWE correlations -- for instance, which CWEs are more prevalent among which product families -- nor are we comparing prevalence of CWEs to seriousness of bugs, such as might be indicated by CVSS scores. Nor are we pointing out where the popular 2025 CWE Top 25 Most Dangerous Software Weaknesses List maps to April’s list.) 

The April dataset of 163 patches references 196 CWEs. Of that 163, 29 patches referenced two CVEs, and five referenced three CWEs. Meanwhile, there were just 42 unique CWEs represented this month (the latest MITRE catalog, version 4.19.1, defines 944 total CWEs) and just three of those accounted for over half of all vulnerabilities patched in April, as shown in the table below. 

Among the 29 CVEs that doubled up on their CWEs, the vast majority combined CWE-416 and CWE-362 – that is, a use-after-free plus a race condition. Though findings such as these are not exactly shocking for longtime observers, it’s exciting to have fresh statistics in hand as we contemplate whether the barn-busting April patch harvest is the shape of things to come.