**Microsoft**'s April 2026 Patch Tuesday addresses a record 169 security vulnerabilities, surpassing all but one previous update in size. This extensive patch addresses critical flaws across the company's extensive product portfolio, including one zero-day vulnerability that is currently being exploited. ### Vulnerability Breakdown Of the 169 vulnerabilities patched, 157 are classified as Important, eight as Critical, three as Moderate, and one as Low. The majority of these flaws (93) are privilege escalation vulnerabilities, followed by information disclosure (21), remote code execution (21), security feature bypass (14), spoofing (10), and denial-of-service (9) vulnerabilities. The updates also include four CVEs issued by parties other than **Microsoft**, affecting **AMD** (**CVE-2023-20585**), **Node.js** (**CVE-2026-21637**), Windows Secure Boot (**CVE-2026-25250**), and **Git for Windows** (**CVE-2026-32631**). This is in addition to the 78 vulnerabilities addressed in the Chromium-based Edge browser since last month’s update. ### A Record-Breaking Patch This release is the second-largest Patch Tuesday to date, trailing only October 2025, when **Microsoft** patched 183 flaws. **Satnam Narang**, senior staff research engineer at **Tenable**, noted that if the pace continues, 2026 will likely see over 1,000 Patch Tuesday CVEs. Narang further observed the dominance of elevation of privilege bugs in recent Patch Tuesday cycles, accounting for 57% of all CVEs patched in April. Remote code execution (RCE) vulnerabilities have decreased to 12%, tying with information disclosure vulnerabilities. ### Actively Exploited Vulnerability: CVE-2026-32201 The actively exploited vulnerability is **CVE-2026-32201** (CVSS score: 6.5), a spoofing vulnerability in **Microsoft SharePoint Server**. According to **Microsoft**, improper input validation allows an unauthorized attacker to perform spoofing over a network, potentially viewing sensitive information or making changes to disclosed information. While the vulnerability was internally discovered, the specifics of its exploitation, the actors involved, and the scale of the attacks are currently unknown. **Mike Walters**, president and co-founder of **Action1**, emphasized that this flaw allows attackers to manipulate how information is presented to users, potentially tricking them into trusting malicious content. The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) has added **CVE-2026-32201** to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies remediate the vulnerability by April 28, 2026. ### Publicly Known Vulnerability: CVE-2026-33825 (BlueHammer) Another notable vulnerability is **CVE-2026-33825**, a privilege escalation flaw in **Microsoft Defender** (CVSS score: 7.8), which was publicly known at the time of release. This flaw could allow an authorized attacker to elevate privileges locally by exploiting **Defender**'s lack of adequate granular access controls. **Microsoft** states that no user action is required to install the update for **CVE-2026-33825**, as the platform updates itself frequently by default. Systems that have disabled **Microsoft Defender** are not vulnerable. This patch is believed to resolve a zero-day exploit known as **BlueHammer**, which was shared on **GitHub** on April 3, 2026, by a security researcher after a dispute with **Microsoft** over the vulnerability disclosure process. Access to the exploit repository currently requires a **GitHub** login. **Cyderes** explains that **BlueHammer** exploits the **Microsoft Defender** update process through Volume Shadow Copy abuse to escalate privileges to NT AUTHORITY\SYSTEM by chaining legitimate Windows features. Researchers **Rahul Ramesh** and **Reegun Jayapaul** of **Cyderes** detailed how **BlueHammer** uses Cloud Files callbacks and oplocks to pause **Defender** during the creation of a temporary Volume Shadow Copy snapshot, leaving the SAM, SYSTEM, and SECURITY registry hives accessible. **Will Dormann** confirmed on Mastodon that the **BlueHammer** exploit no longer functions and appears to be fixed by **CVE-2026-33825**, although some components of the exploit may still work. ### Critical Remote Code Execution Vulnerability: CVE-2026-33824 Among the most severe vulnerabilities is **CVE-2026-33824**, a remote code execution flaw impacting the Windows Internet Key Exchange (IKE) Service Extensions, with a CVSS score of 9.8 out of 10.0. **Adam Barnett**, lead software engineer at **Rapid7**, stated that exploitation requires an attacker to send specially crafted packets to a Windows machine with IKE v2 enabled, potentially leading to remote code execution. Barnett highlighted the rarity of unauthenticated RCE vulnerabilities against modern Windows assets but emphasized the inherent exposure of IKE, given its role in providing secure tunnel negotiation services for VPNs. **Walters** warned that this flaw poses a serious threat to enterprise environments, especially those using VPN or IPsec for secure communications. Successful exploitation could result in complete system compromise, enabling data theft, operational disruption, or lateral movement across the network. The lack of required user interaction and the potential for widespread attacks make this vulnerability particularly dangerous for internet-facing systems running IKEv2 services.