Microsoft’s April 2026 Patch Tuesday release contains fixes for 163 CVEs, making it the second biggest Patch Tuesday ever, just shy of the record set in October 2025 at 167 CVEs. At this pace, 2026 is on track to affirm that 1,000+ Patch Tuesday CVEs annually is the norm. Not only that, but elevation of privilege bugs continue to dominate the Patch Tuesday cycle over the last eight months, accounting for a record 57% of all CVEs patched in April, while remote code execution (RCE) vulnerabilities have dropped to just 12%, tied with information disclosure vulnerabilities this month.
This month, Microsoft patched a SharePoint Server spoofing vulnerability (CVE-2026-32201) that was exploited in the wild as a zero-day. This might sound like deja vu, and that’s because the last SharePoint Server spoofing vulnerability exploited as a zero-day was CVE-2025-49706 from July 2025, part of the ToolShell exploit chain used by ransomware and cyberespionage groups. While we lack insight into the in-the-wild exploitation associated with this latest flaw and whether it is related to the ToolShell exploit chain, it underscores how valuable SharePoint Server is as a target for attackers.
CVE-2026-33825 is an elevation of privilege vulnerability in Microsoft Defender that is marked as publicly disclosed. The timing of this aligns with the recent disclosure of the BlueHammer elevation of privilege vulnerability in Defender, which was disclosed on April 8. While we don’t have confirmation of the connection, this one warrants attention.
This month, Microsoft’s Remote Desktop received a fix for CVE-2026-26151, a spoofing vulnerability. Previous behavior allowed users to receive and open Remote Desktop Protocol (RDP) files without any sort of warning. In the April 2026 Security Update, Microsoft will now provide sufficient warning dialogues to users when interacting with potentially malicious RDP files. – Satnam Narang, Senior Staff Research Engineer at Tenable