Microsoft closed out April 14, 2026 with its second-largest Patch Tuesday on record: 167 vulnerabilities fixed in a single release. That count nearly triples February’s total and makes April the heaviest patching month of the year by a wide margin. If you run Windows machines or servers, this is one of the rollups you’ll want to apply soon.
What’s in the bundle
Of the 167 bugs, eight are rated critical. Seven are remote code execution and the eighth is a denial of service. The rest spread across privilege escalation, information disclosure, spoofing and security feature bypass. On top of that, almost 60 browser patches (Edge and the Chromium engine underneath) ship in the same window, which Microsoft counts separately.
The two zero-days are what make speed matter here.
The SharePoint zero-day, exploited in attacks
The first is a spoofing vulnerability in Microsoft SharePoint Server (CVE-2026-32201, CVSS 6.5). It stems from improper input validation: an unauthenticated attacker can run spoofing attacks over the network, view information they shouldn’t, and tamper with disclosed data. The CVSS score is medium, but the part that counts is different. Microsoft confirmed it was already being exploited in real attacks when the patch shipped. A zero-day with SharePoint servers in the mix deserves high priority, especially if you expose any instances to the internet.
The second zero-day: SYSTEM escalation in Defender
The other is a privilege elevation in the Microsoft Defender antimalware platform (CVE-2026-33825, CVSS 7.8), nicknamed BlueHammer. It grants SYSTEM-level privileges, the highest on a Windows box. Unlike the SharePoint flaw, this one was publicly disclosed before a patch existed, though it hasn’t been tied to active exploitation so far. Having the technical details out in the open with no fix available is exactly what raises the risk. It’s fixed in engine version 4.18.26030.3011, which ships automatically, so most machines will pick it up without manual work.
Other bugs worth a look
Among the critical RCEs, a couple stand out for their reach. One hits Windows IKE (CVE-2026-33824, CVSS 9.8), a double free that ZDI tags as wormable and that exploits over the network without authentication; blocking UDP ports 500 and 4500 works as a temporary mitigation. Another sits in the Windows TCP/IP stack (CVE-2026-33827), a race condition affecting systems with IPv6 and IPSec enabled. There are also critical RCEs in Active Directory and in Office/Word, the latter exploitable through the preview pane, meaning the victim doesn’t have to open the document by hand.
If you handle attachments daily, prioritise the Office updates. And check the neighbouring months so you don’t leave gaps: there’s the March roundup and the May one, where for the first time in nearly two years Microsoft reported no zero-days at all.
The usual advice applies for a bundle this size: test against a pilot group if you manage a large fleet, then deploy to exposed machines as soon as you can.