Microsoft Patch Tuesday April 2026 Fixes 168 Vulnerability, Includes Exploited Zero-Day

Microsoft released its April 2026 Patch Tuesday security update on April 14, addressing 168 vulnerabilities, including one actively exploited zero-day flaw.

The update spans critical components, including Windows TCP/IP, Active Directory, Microsoft Office Word, .NET Framework, Hyper-V, and the Windows Kernel, making it one of the most substantial patch releases of the year.

The most urgent fix in this month’s update targets CVE-2026-32070, a Windows Common Log File System (CLFS) Driver Elevation of Privilege vulnerability rated Important by Microsoft.

This flaw has been confirmed as actively exploited in the wild, consistent with a recurring pattern of threat actors leveraging CLFS driver weaknesses to achieve SYSTEM-level privileges on compromised endpoints.

Organizations running unpatched Windows environments should treat this as the highest priority remediation this cycle, as EoP vulnerabilities of this type are commonly chained with initial access exploits in targeted ransomware and APT campaigns.

Critical Remote Code Execution Flaws

Three Critical-rated Remote Code Execution (RCE) vulnerabilities demand immediate attention from enterprise defenders:

• CVE-2026-33827 — Windows TCP/IP Remote Code Execution Vulnerability (Critical): An unauthenticated attacker could exploit this flaw over a network to execute arbitrary code, making it one of the highest-severity entries in this month’s update.
• CVE-2026-33826 — Windows Active Directory Remote Code Execution Vulnerability (Critical): Domain controller environments face particular exposure, as successful exploitation could allow adversaries to execute code within Active Directory infrastructure.
• CVE-2026-33824 — Windows Internet Key Exchange (IKE) Service Extensions RCE (Critical): This vulnerability targets VPN- and IPsec-enabled systems, posing a risk to organizations that rely on Windows IKE for encrypted tunneling.

Additionally, Microsoft patched two separate Critical Microsoft Word RCE vulnerabilities, CVE-2026-33115 and CVE-2026-33114, along with a third Important-rated Word CVE-2026-23657 — 7, highlighting persistent targeting of Office document processing by threat actors.

The April update also resolves several high-impact flaws affecting core Windows components. CVE-2026-23666, a Critical Denial-of-Service vulnerability in the .NET Framework, poses a risk to enterprise application stacks that rely on the framework. 

CVE-2026-26156, a Windows Hyper-V RCE rated Important, could allow attackers to escape from virtualized environments in cloud and on-premises deployments.

Several Elevation of Privilege vulnerabilities patched this cycle affect the Windows Kernel (CVE-2026-26180, CVE-2026-26179), Windows Kerberos (CVE-2026-27912), Microsoft Defender (CVE-2026-33825), and PowerShell (CVE-2026-26170).

Security Feature Bypass vulnerabilities were also addressed in Windows BitLocker (CVE-2026-27913), Windows Hello (CVE-2026-27928), Secure Boot (CVE-2026-25250), and Windows Boot Manager (CVE-2026-26175).

On the information disclosure front, CVE-2026-32631, a Git for Windows vulnerability, allows git clone operations from manipulated repositories to leak NTLM credential hashes, posing a risk of exposing credentials in environments.

Security teams are urged to deploy the April 2026 updates immediately, with top priority given to the actively exploited SharePoint zero-day and all Critical-rated remote code execution (RCE) flaws.

The Microsoft Security Response Center (MSRC) has flagged these vulnerabilities for urgent remediation, warning that unpatched systems remain directly exposed to ongoing threat actor activity.