Microsoft Patch Tuesday April 2026., (Tue, Apr 14th)

This month's Microsoft Patch Tuesday looks like a record one, but let's look at it a bit closer to understand what is happening The update patches a total of 243 vulnerabilities. However, 78 of them are Chromium issues affecting Microsoft Edge. Patches for Edge were released earlier. This leaves 165 vulnerabilities that are not Edge-related. Of these, 8 are rated critical, and 154 are important. One vulnerability has already been exploited, and another was made public before today but has not yet been seen in the wild. Noteworthy Vulnerabilities: CVE-2026-33827 (Windows TCP/IP Remote Code Execution Vulnerability): As a packet nerd, I love these types of vulnerabilities. Need to know more to really figure out the impact. Microsoft describes this as a race condition, allowing attackers to execute arbitrary code over the network. Exploitation is likely tricky, but never underestimate the creativity of an AI aided attacker. CVE-2026-33825 (Microsoft Defender Elevation of Privilege Vulnerability): This vulnerability has already been disclosed. CVE-2026-32201 (Microsoft SharePoint Server Spoofing Vulnerability): Two similar SharePoint server spoofing vulnerabilities were patched this month. Both are rated important, and this particular one is already being exploited. CVE-2026-33826 (Windows Active Directory Remote Code Execution Vulnerability): CVSS score of only 8.0, but critical according to Microsoft. CVE-2026-32190 (Microsoft Office Remote Code Execution Vulnerability): Standard fair for every monthly patch Tuesday. These are often the more worrisome vulnerabilities. Two additional critical RCE vulnerabilities affect Word (CVE-2026-33114, CVE-2026-33115). CVE-2026-32157 (Remote Desktop Client Remote Code Execution Vulnerability): Typically, these vulnerabilities require a user to connect to a malicious RDP server, but connections may be initiated by clicking on an rdp: link. CVE-2026-33824 (Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability): IKE, part of IPSEC, is usually not enabled by default. It isn't clear yet what the exact exploitation requirements are (will update once MSFT's page responds again) CVE-2026-23666 (.NET Framework Denial of Service Vulnerability): Just a denial of service. Not sure why this deserved critical . Description CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG) .NET Denial of Service Vulnerability %%cve:2026-26171%% No No - - Important 7.5 6.5 .NET Framework Denial of Service Vulnerability %%cve:2026-32226%% No No - - Important 5.9 5.2 %%cve:2026-23666%% No No - - Critical 7.5 6.7 .NET Spoofing Vulnerability %%cve:2026-32178%% No No - - Important 7.5 6.5 .NET and Visual Studio Denial of Service Vulnerability %%cve:2026-32203%% No No - - Important 7.5 6.5 .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability %%cve:2026-33116%% No No - - Important 7.5 6.5 Active Directory Spoofing Vu